When Lenovo was caught last week in the process of corrupting its customers safety and security in the name of selling ads, I thought they had committed such an outrageous act that no one would be able to match it.
Today I've learned that I lack sufficient imagination.
Ars Technica is reporting that two security software firms have been caught releasing security tools that incorporate Superfish-like man-in-the-middle code to the apps they publish.
And just so you know why I'm feeling poleaxed, we're talking about companies that make apps which are intended to protect you when you go online but in reality put you at a terrible risk of being attacked.
The first company, Lavasoft, offers an app called Ad-aware Web Companion. It's intended to complement firewall and antivirus tools and protect users from phishing, browser hijacking, and other attacks, but in reality this tool opens up users to just as many issues as it prevents.
According to security researcher Filippo Valsorda, Komodia's proxy software compromises a user's security by tricking web browsers into trusting any self-signed SSL certificate. This drastically reduces the work a malicious hacker would need to do to exploit a target's computer, making it easier for the hacker to convince a victim's computer that it is visiting (for example) the real Bank of America website when in reality the user was directed to a site where the hacker is collecting personal info.
Lavasoft apparently licensed this tech from Komodia (and then failed to perform basic security testing to make sure it was safe). But the good news is, Lavasoft is in the process of updating the tool to replace the dangerous code.
The other tool, PrivDog, isalso in the process of being updated.
PrivDog is the creation of Comodo CEO Melih Abdulhayoglu, and it is intended to protect users from malicious adverts by replacing the untrusted ads with safe ones. That sounds like a great idea, but it turns out that at least one version of PrivDog has an even bigger security flaw than Superfish.
According to Hanno Böcke, PrivDog will replace any SSL certificate it receives with its own certificates. This includes all certificates, including ones which weren't valid in the first place. So not only is this tool compromising your security by bypassing a basic security step, it's not even bothering to check to see who it is vouching for.
And do you know the really fun part? PrivDog is notable for not using even one line of code from Komodia, meaning that this bungling was entirely the fault of Comodo.
Luckily, the version of PrivDog which comes bundled with Comodo Internet Security does not contain the critical security flaw. Only the standalone version (which was released in December 2014) has this security issue, and Privdog has already released an advisory which warns of the issue and promises that it will be repaired. The notice says that 57,568 users are running the flawed version of Privdog, which will be updated tomorrow.
I'm sure both companies are serious about releasing updates, but if I were using these tools I would simply remove them and go find something else.
And then I'd fumigate my computer a half dozen different ways.
That's not hysteria, but simply good sense. The only way to know you're safe after having used these tools is to treat this as if it were a real attack and respond accordingly with all the necessary steps to repair the security holes.
image by johnvoo_photographer