Lenovo pre-loads 'Superfish' on some new laptops

Corrine · February 21, 2015, 07:30:35 PM

Image posted at BBR (h/t siljaline) showing the list of vendors using the Komodia Redirector from CERT (Vulnerability Note VU#529496 - Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys) and will be detected by a https://filippo.io/Badfish/ scan:

Urizen (Nicolas Stark), Ann-Christine Åkerlund and Jason King should be hiding in shame. From ABC News at http://abcnews.go.com/Technology/lenovo-faces-uproar-superfish-adware/story?id=29085435

QuoteDaniel Assouline, CEO at software company Lavasoft, told ABC News "the problem with Superfish isn't the problem of what they do, it's how they do it."

winchester73 · February 21, 2015, 07:56:36 PM

The image Corrine posted is explained here: http://marcrogers.org/2015/02/19/will-the-madness-never-end-komodia-ssl-certificates-are-everywhere/

Also of note, Filippo Valsorda has updated his tool to test for Komodia products besides Superfish.

UPDATE - For those who wish to re-test all of their browsers, Superfish CA + Komodia vulnerability test now detects all Komodia softwares and doesn't cache results: https://filippo.io/Badfish/

How Komodia works: https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/

siljaline · February 21, 2015, 09:26:05 PM

For those socially oriented - you may follow Filippo in real-time on Twitter

siljaline · February 22, 2015, 06:03:00 AM

Beware that the Wikipedia entry for SuperFish still exists. Most AV engines now actively block the URL.

See Tweet from Aryeh at ESET NA https://twitter.com/goretsky/status/568980798897922049

winchester73 · February 22, 2015, 02:40:59 PM

WOT warns as well:

siljaline · February 22, 2015, 09:55:44 PM

The LOL- Lenovo debacle just wont go away ! LOL-Lenovo recently opined - (but continue to Lie as the SuperFish software was bundled in as far back as 2012)

Quote
We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday [Friday, 20 February]. Now we are focused on fixing it.

Since that time we have moved as swiftly and decisively as we can based on what we now know. While this issue in no way impacts our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed.

We apologise for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future.

http://www.theregister.co.uk/2015/02/22/lenovo_superfish_removal_tool/

siljaline · February 23, 2015, 08:16:38 PM

Lenovo hit with lawsuit over Superfish snafu

QuoteLenovo admitted to pre-loading the Superfish adware on some consumer PCs, and unhappy customers are now dragging the company to court on the matter.
A proposed class-action lawsuit was filed late last week against Lenovo and Superfish, charging both companies with "fraudulent" business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware. [...]

http://www.computerworld.com/article/2887245/legal/lenovo-hit-with-lawsuit-over-superfish-snafu.html

siljaline · February 23, 2015, 08:18:20 PM

Mozilla mulls Superfish torpedo

QuoteFirefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops.
The move will be another blow against Superfish, which is under a sustained barrage of criticism for its use of a root certificate to launch man-in-the-middle attacks against innocent users in order to inject advertising into web searches. [...]

http://www.theregister.co.uk/2015/02/23/mozilla_mulls_super_phish_torpedo/

siljaline · February 23, 2015, 10:14:26 PM

Superfish stumper: What did Lenovo know and when did it know it?

QuoteWhat does a person have to do to get a pizza delivered? If you're in the area formerly known as the great American Northeast, now doubling as Westeros, only with more white walkers, apparently no action is good enough. How cold is it? When I accidentally stepped outside today, my nose hair flash froze and it felt like someone had fired a staple gun into my cheekbones. [...]

http://www.infoworld.com/article/2887237/cringely/superfish-stumper-what-did-lenovo-know-and-when-did-it-know-it.html

siljaline · February 24, 2015, 04:48:22 AM

The LOL-Lenovo debacle continues as LOL-Lenovo Corporate begs for forgiveness -

QuoteLenovo's top technical executive apologized once again for preinstalling laptops with software that intercepted customers' encrypted Web traffic, and the company has gone on to outline plans to ensure that similar mistakes don't happen again.

"This software frustrated some users without adding value to the experience so we were in the process of removing it from our preloads," Lenovo CTO Peter Hortensius wrote in an open letter published Monday. "Then, we saw published reports about a security vulnerability created by this software and have taken immediate action to remove it. Clearly this issue has caused concern among our customers, partners, and those who care about Lenovo, our industry and technology in general. For this, I would like to again apologize." [...]

http://arstechnica.com/security/2015/02/still-smarting-from-https-busting-superfish-debacle-lenovo-says-sorry/

h/t @ Dan Goodin, others, for bringing down the house on the ongoing LOL-Lenovo case.

winchester73 · February 24, 2015, 01:30:02 PM

Filippo Valsorda has updated his Superfish, Komodia, PrivDog vulnerability test once again to test for other SSL-disabling products: https://filippo.io/Badfish/

According to Lenovo, Superfish may have appeared on these models:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

siljaline · February 24, 2015, 06:20:05 PM

The LOL-Lenovo betrayal of trust debacle continues unabated -

Quote"We're just kind of scratching the surface," said Ken Westin, a senior security analyst with cybersecurity firm Tripwire. "I guarantee you within the next week or two, we'll start hearing more about things like this."

QuoteDave Fewer, director of the Ottawa-based Canadian Internet Policy and Public Interest Clinic, described the flaw as "a huge betrayal of trust."

http://www.cbc.ca/news/technology/superfish-adware-frenzy-over-lenovo-betrayal-of-trust-1.2968640

winchester73 · February 24, 2015, 08:18:13 PM

The original purpose of this thread was to alert Lenovo users about an important breach of customer privacy and security by the world's largest PC maker. Over the last five days, there has been much useful information posted about the implications of this MITM attack and how it cracks open secure connections. As tools were developed and updated, instructions were provided on how to detect and remove the threat from an affected Lenovo consumer product. This issue only pertained to a small percentage of the personal computers being used throughout the world, and ONLY specific Lenovo models.

After some discussion behind the scenes, it has been decided that the immediate threat has been neutralized, and the original purpose behind 3 pages of posts has been fulfilled ... thus, this topic is now closed.

Anyone interested in additional information can easily find it via social media or by using their favorite search engine. We now return you to your regularly scheduled forum.