Skip to main content

Security Software Found With Superfish-Style Security Holes

When Lenovo was caught last week in the process of corrupting its customers safety and security in the name of selling ads, I thought they had committed such an outrageous act that no one would be able to match it.

Today I’ve learned that I lack sufficient imagination.

Ars Technica is reporting that two security software firms have been caught releasing security tools that incorporate  Superfish-like man-in-the-middle code to the apps they publish.

And just so you know why I’m feeling poleaxed, we’re talking about companies that make apps which are intended to protect you when you go online but in reality put you at a terrible risk of being attacked.

The first company, Lavasoft, offers an app called Ad-aware Web Companion. It’s intended to complement firewall and antivirus tools and protect users from phishing, browser hijacking, and other attacks, but in reality this tool opens up users to just as many issues as it prevents.

Like the Superfish adware bundled with Lenovo laptops, Lavasoft incorporated SSL-interception technology sold by Komodia when they made the Ad-aware Web Companion.

According to security researcher Filippo Valsorda, Komodia’s proxy software compromises a user’s security by tricking web browsers into trusting any self-signed SSL certificate. This drastically reduces the work a malicious hacker would need to do to exploit a target’s computer, making it easier for the hacker to convince a victim’s computer that it is visiting (for example) the real Bank of America website when in reality the user was directed to a site where the hacker is collecting personal info.

Lavasoft apparently licensed this tech from Komodia (and then failed to perform basic security testing to make sure it was safe). But the good news is, Lavasoft is in the process of updating the tool to replace the dangerous code.

The other tool, PrivDog, isalso in the process of being updated.

PrivDog is the creation of Comodo CEO Melih Abdulhayoglu, and it is intended to protect users from malicious adverts by replacing the untrusted ads with safe ones. That sounds like a great idea, but it turns out that at least one version of PrivDog has an even bigger security flaw than Superfish.

According to Hanno Böcke, PrivDog will replace any SSL certificate it receives  with its own certificates. This includes all certificates, including ones which weren’t valid in the first place. So not only is this tool compromising your security by bypassing a basic security step, it’s not even bothering to check to see who it is vouching for.

And do you know the really fun part? PrivDog is notable for not using even one line of code from Komodia, meaning that this bungling was entirely the fault of Comodo.

Luckily, the version of PrivDog which comes bundled with Comodo Internet Security does not contain the critical security flaw. Only the standalone version (which was released in December 2014) has this security issue, and Privdog has already released an advisory which warns of the issue and promises that it will be repaired. The notice says that 57,568 users are running the flawed version of Privdog, which will be updated tomorrow.

I’m sure both companies are serious about releasing updates, but if I were using these tools I would simply remove them and go find something else.

And then I’d fumigate my computer a half dozen different ways.

That’s not hysteria, but simply good sense. The only way to know you’re safe after having used these tools is to treat this as if it were a real attack and respond accordingly with all the necessary steps to repair the security holes.

image by johnvoo_photographer

Similar Articles


Comments


puzzled February 23, 2015 um 3:33 pm

Quis custodiet ipsos custodies?


puzzled February 23, 2015 um 3:37 pm

Not to mention: any website that pops up a 'are you sure you want to leave our site?' message box should be taken out and shot.

Nate Hoffelder February 23, 2015 um 3:52 pm

When I get one of those sites I go run my usual post-attack security checks just in case.


Richard Adin February 24, 2015 um 5:43 am

Why not use a program like Sandboxie which keeps the malicious code, if any, from getting to your hard drive in the first place? (I have no interest in Sandboxie except as a user who bought a lifetime license for 3 computers and who is a very happy user of the product, although there are certain things I wish they would do to make it more user-friendly.)

Nate Hoffelder February 24, 2015 um 6:30 am

It wouldn’t help here. Sandboxie will work to protect you from malicious programs, but the security issues here go deeper than that.

Sandboxie is like having someone monitor the activity inside your house, while these security issues are like having some fool copy your front door keys and hand them out to anyone who asks. By the time the hackers get to the front door, it’s too late for Sandboxie to do anything.


Write a Comment