by Dan Goodin – Feb 23, 2015 2:17am EST
Two more software makers have been caught adding dangerous, Superfish-style man-in-the-middle code to the applications they publish. The development is significant because it involves AV company Lavasoft and Comodo, a company that issues roughly one-third of the Internet’s Transport Layer Security certificates, making it the world’s biggest certificate authority.
Lavasoft and Comodo were added just as researchers were discovering simpler, more potent ways to exploit the vulnerabilities.
Late last week came word that self-signed Secure Sockets Layer certificates installed by a company called Komodia caused most browsers to trust any self-signed certificate that used the same easily extracted private key. That was bad, but now, researchers have discovered vulnerabilities in the closely related proxy software of interception applications from Komodia and Comodo. The new insight makes it even easier for attackers to forge trusted credentials that impersonate Bank of America, Google, or any other HTTPS-protected destination on the Internet.
SSL-BUSTING CODE THAT THREATENED LENOVO USERS FOUND IN A DOZEN MORE APPS
“What all these applications have in common is that they make people less secure.”
The first case involves Lavasoft Ad-aware Web Companion, software that’s distributed by antivirus provider Lavasoft. Like Superfish software included in Lenovo laptops and more than 14 other companies later confirmed, Lavasoft incorporated SSL-interception technology sold by Komodia.
As discovered over the weekend by security researcher Filippo Valsorda, Komodia root certificates SSL-intercepting proxy software will cause most browsers to trust any self-signed certificate, as long as the name of the targeted website is inserted into the certificates’ alternate name field. That discovery dramatically lowers the bar for successful exploitation of the serious vulnerability.
Lavasoft Ad-aware Web Companion is free privacy software Lavasoft markets as a companion to regular antivirus protection. Lavasoft appears to have licensed the Komodia engine and put it into the Companion product for inspecting SSL traffic. Most other AV products use similar self-signed certificates to detect SSL-injected threats, but so far there are no reports of other AV companies using such vulnerable implementations. At the time this post was being written, Lavasoft was unable to confirm if the vulnerable Komodia code was fully removed from the latest version of Companion. The company is prepared to issue a new version on Monday, if necessary.
The second security-marketed software was “PrivDog,” which is the creation of Comodo CEO Melih Abdulhayoglu. Valsorda told Ars that the stand-alone version of PrivDog will cause most browsers to trust any self-signed certificate, a breath-taking vulnerability that leaves users wide open to easily executed man-in-the-middle attacks that completely bypass HTTPS protections.
Besides its ties to Comodo—a certificate authority that’s trusted by all major operating systems—PrivDog is notable for not containing any traces of Komodia technology. The version of PrivDog that’s bundled with Comodo Internet Security does not contain the same critical weakness, Valsorda said.
PrivDog bills itself as software that enhances security and privacy by replacing ads in Web pages with ads from trusted sources. Presumably, the vulnerable version of PrivDog is using the man-in-the-middle proxy and certificate to replace ads in HTTPS-protected sites. Abdulhayoglu and other Comodo officials didn’t respond to e-mail seeking comment for this post. Update: On Monday, PrivDog issued a statement reiterating what Ars already reported, that the vulnerability resides in the stand-alone version only. Fewer than 58,000 users are affected. Remarkably, PrivDog rated the threat as “low.” That seems to be a massive understatement, given the harm that can be done, no matter how many users are affected. Readers with either Lavasoft Ad-aware Web Companion or the stand-alone version of PrivDog should err on the side of caution and uninstall both the app and the underlying root certificate as soon as possible.
Post updated to add statement from PrivDog.