Security software found using Superfish-style code, as attacks get simpler

by Dan Goodin – Feb 23, 2015 2:17am EST
136
Two more software makers have been caught adding dangerous, Superfish-style man-in-the-middle code to the applications they publish. The development is significant because it involves AV company Lavasoft and Comodo, a company that issues roughly one-third of the Internet’s Transport Layer Security certificates, making it the world’s biggest certificate authority.

Lavasoft and Comodo were added just as researchers were discovering simpler, more potent ways to exploit the vulnerabilities.

Late last week came word that self-signed Secure Sockets Layer certificates installed by a company called Komodia caused most browsers to trust any self-signed certificate that used the same easily extracted private key. That was bad, but now, researchers have discovered vulnerabilities in the closely related proxy software of interception applications from Komodia and Comodo. The new insight makes it even easier for attackers to forge trusted credentials that impersonate Bank of America, Google, or any other HTTPS-protected destination on the Internet.

FURTHER READING

SSL-BUSTING CODE THAT THREATENED LENOVO USERS FOUND IN A DOZEN MORE APPS
“What all these applications have in common is that they make people less secure.”
The first case involves Lavasoft Ad-aware Web Companion, software that’s distributed by antivirus provider Lavasoft. Like Superfish software included in Lenovo laptops and more than 14 other companies later confirmed, Lavasoft incorporated SSL-interception technology sold by Komodia.
As discovered over the weekend by security researcher Filippo Valsorda, Komodia root certificates SSL-intercepting proxy software will cause most browsers to trust any self-signed certificate, as long as the name of the targeted website is inserted into the certificates’ alternate name field. That discovery dramatically lowers the bar for successful exploitation of the serious vulnerability.

Lavasoft Ad-aware Web Companion is free privacy software Lavasoft markets as a companion to regular antivirus protection. Lavasoft appears to have licensed the Komodia engine and put it into the Companion product for inspecting SSL traffic. Most other AV products use similar self-signed certificates to detect SSL-injected threats, but so far there are no reports of other AV companies using such vulnerable implementations. At the time this post was being written, Lavasoft was unable to confirm if the vulnerable Komodia code was fully removed from the latest version of Companion. The company is prepared to issue a new version on Monday, if necessary.

The second security-marketed software was “PrivDog,” which is the creation of Comodo CEO Melih Abdulhayoglu. Valsorda told Ars that the stand-alone version of PrivDog will cause most browsers to trust any self-signed certificate, a breath-taking vulnerability that leaves users wide open to easily executed man-in-the-middle attacks that completely bypass HTTPS protections.

Besides its ties to Comodo—a certificate authority that’s trusted by all major operating systems—PrivDog is notable for not containing any traces of Komodia technology. The version of PrivDog that’s bundled with Comodo Internet Security does not contain the same critical weakness, Valsorda said.

PrivDog bills itself as software that enhances security and privacy by replacing ads in Web pages with ads from trusted sources. Presumably, the vulnerable version of PrivDog is using the man-in-the-middle proxy and certificate to replace ads in HTTPS-protected sites. Abdulhayoglu and other Comodo officials didn’t respond to e-mail seeking comment for this post. Update: On Monday, PrivDog issued a statement reiterating what Ars already reported, that the vulnerability resides in the stand-alone version only. Fewer than 58,000 users are affected. Remarkably, PrivDog rated the threat as “low.” That seems to be a massive understatement, given the harm that can be done, no matter how many users are affected. Readers with either Lavasoft Ad-aware Web Companion or the stand-alone version of PrivDog should err on the side of caution and uninstall both the app and the underlying root certificate as soon as possible.

Post updated to add statement from PrivDog.

Advertisements

One response to “Security software found using Superfish-style code, as attacks get simpler

  1. Best comment Ever!

    RRobArs

    Some of you sound like congress, coming up with magical fixes for the Internet.

    They should just engage the IP deflector shields and bounce the packets on a tangent knocking off hackers in nearby attack zones. If they flip the packets 90 degrees they can create a Möbius loop causing the hackers to enter a self inflicted death spiral. It’s easy, I don’t know why browsers don’t

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s