Blogs | Créer un Blog | Avertir le modérateur


Asus k50c Battery

Chinese PC peddler Lenovo bundled the software nasty to make a fast buck from its cheap, low-margin hardware: the application hijacks web browsers to inject ads into pages, even HTTPS encrypted websites, using an egregious root CA certificate.Lenovo consumer personal computers employing the pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate, US-CERT said on Friday, urging people to remove the adware.Exploitation of this vulnerability could allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system.In a detailed rundown – including instructions on how to remove the badware – the Homeland Security team said select Lenovo Windows laptops built since September 2014* harbor Superfish VisualDiscovery. Lenope stopped bundling the software in January 2015.The malware installs its own root CA certificate so it can silently intercept and decrypt HTTPS connections, allowing it to tamper with pages – namely, injecting ads to stuff to buy online.For example, if you visit on an affected laptop, your web browser is hijacked to connect through Superfish's software, but the user is none the wiser. The Superfish root CA certificate convinces the browser that everything is OK.

The private key for this certificate is hardcoded into VisualDiscovery's executable, and easily extractable. This means anyone can use it to create spoof websites that will be trusted by vulnerable laptops, allowing miscreants to pull off man-in-the-middle attacks and steal login passwords.In other words, your connection to, say, on a Lenovo laptop may look legit with a little padlock in the top corner of the window, but in reality the website could be malicious and masquerading as the real site so it can learn your login details.The CERT advisory says Superfish uses Komodia's Redirector with SSL Digestor to intercept web connections. It points out that the same code is also used in free parental control software dubbed KeepMyFamilySecure (the irony), and it is not exclusive to Lenovo products. Other apps and products are bundling the adware.Superfish, founded in 2006, is a small company based in Palo Alto, California, and has reportedly received about $20m in funding since 2009. Journalist Thomas Fox-Brewster has more on the background of Superfish and Komodia, here.

Microsoft agrees that this whole mess is bad news for users. On Friday the Redmond giant told El Reg its antivirus software Windows Defender now detects and removes the Superfish software from Lenovo devices.And sources familiar with the matter told us Microsoft's tool not only removes the Superfish software, but also the rather cheeky root certificate. Superfish insists computer users have nothing to worry about, and contradicts the US government's assertion that this is a major problem.Despite the false and misleading statements made by some media commentators and bloggers, the Superfish code does not present a security risk, its CEO Adi Pinhas told El Reg in a statement, adding that the company doesn't store or share personal data.Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn't identified before some laptops shipped, he explained.Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. We learned about the potential threat yesterday and since then we have been working with Lenovo and Microsoft to create an industry patch to resolve the threat.There's no word from Lenovo on the US government's Superfish alert. On Thursday the PC maker's CTO Peter Hortensius said his firm isn't trying to get into an argument with the security guys, and insisted the code was safe to use.

Updated at 1407 Pacific Time (2207 UTC) It's claimed the Komodia proxy server used by the Superfish adware is worse than previously thought: any man-in-the-middle attacker can create a spoof HTTPS website that is trusted by laptops with the Superfish root CA certificate installed, without having to use the extracted private key. Self-signed SSL certificates are converted into valid ones, we're told.All the users out there with Komodia-powered Parental Control software or adware [can] have their banking connections easily intercepted. Well, good job, says CloudFlare security bod Filippo Valsorda. * US-CERT initially said Lenovo was bundling Superfish's software since 2010, although has since corrected that to September 2014 after Lenovo complained. In a statement to El Reg, the computer giant said:+Comment Chinese PC maker Lenovo has published instructions on how to scrape off the Superfish adware it installed on its laptops – but still bizarrely insists it has done nothing wrong.That's despite rating the severity of the deliberate infection as high on its own website. Well played, Lenonope.Superfish was bundled on new Lenovo Windows laptops with a root CA certificate so it could intercept even HTTPS-protected websites visited by the user and inject ads into the pages. Removing the Superfish badware will leave behind the root certificate – allowing miscreants to lure Lenovo owners to websites masquerading as online banks, webmail and other legit sites, and steal passwords in man-in-the-middle attacks.

Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping, Lenovo said in a statement on Thursday.We know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.Step-by-step instructions on how to remove the Superfish application, and the certificate it uses to impersonate trusted sites, have been published by Lenovo. Firefox users may have to take extra steps.If you use any of the following products, or someone you know does, you should check it for Superfish's crapware: Security experts are warning that the Superfish code is so badly designed that it is easy to extract the private key to its root CA certificate. This private key can be used to generate SSL certificates that a nefarious website can use to masquerade as a legit site.

For example, if you're a bad person working in a cafe with control over its public Wi-Fi, and you see an affected Lenovo user join your network, you can attempt to redirect their connection to an online bank to your own password-stealing server. Your server can use a rogue SSL certificate generated from Superfish's leaked private key to masquerade as the bank's dotcom. The Superfish root CA certificate on the laptop tells the browser to trust the dodgy connection – and user will be none the wiser (unless they inspect the SSL session, which no one does).In the past 24 hours websites such as and have been created to identify PCs with the rogue root CA installed, using SSL certificates signed by the leaked private key. If you're on a Lenovo machine and you don't see any errors about the HTTPS connection to these websites in your web browsers, you've got the bad certificate installed.

The software was preinstalled on a range of Lenovo's consumer laptops, a move Peter Hortensius, the firm's chief technology officer, admitted was a mistake. But he said that there were no security risks with using software which borks HTTPS.We’re not trying to get into an argument with the security guys, he told the Wall Street Journal. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.Normally Lenovo performs due diligence on all software it preinstalls but in this case the vetting procedure was not carried out well enough, he opined. The inclusion of such software is apparently covered in the tedious end user license agreement that no one reads.

In an extended statement Lenovo said Superfish wasn't a major contributor to the manufacturer's bottom line, and said the software did not build personal profiles of users – just advertising tailored to whatever the victim was browsing.Superfish has not been active on Lenovo laptops since December, Superfish's CEO Adi Pinhas told El Reg in a statement.It is important to note: Superfish is completely transparent in what our software does and at no time were consumers vulnerable - we stand by this today. Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.That remains to be seen. Lenovo has a very close relationship with Microsoft as a top-flight box maker, and Redmond told El Reg today that it is probing the situation to see if the inclusion of the software breaks any of its licensing rules.

Les commentaires sont fermés.