This software seems a bit fishy…

Mar 04, 2015


Superfish?  No, it’s not a new comic book character, it’s the latest security issue taking the Internet by storm.  In the past few weeks, Lenovo were left rather red faced after news broke of the substantial privacy issues caused by the Superfish software, which came pre-installed on Lenovo notebook computers between September 2014 and February 2015. 

In short, the Superfish Visual Discovery software is designed to display adverts on websites based on visually similar adverts viewed by a user.  Although similar and legitimate methods of advertising currently exist, namely tracking cookies, it was how Superfish handled users’ secure web browsing that really caused a stir with Lenovo users and security experts.

Typically when you access a secure website the user’s web browser and the website establish a secure encrypted connection, allowing only the website and the user to view and transfer information.  This is typically signified by a green HTTPS logo at the top of the web browser.

The Superfish software was not happy with being “locked out” from users’ secure web browsing.  To overcome this, it created its own secure browsing certificates, essentially imitating a legitimate certificate, allowing it to open up and access a secure browsing session, unbeknown to the user.  This meant that the software could display its adverts on “secure” websites, and potentially access any data being transferred through the secure browsing session. 

So, the key question is, did the Superfish software actually collect sensitive information? 

Currently there’s no evidence to suggest it was collecting and storing sensitive information, but the biggest concern is that the method Superfish had been using to access such sites meant, it could potentially aid attackers to access a user’s “secure” browsing session.  This would result in a man in the middle attack, where data is viewed or even manipulated travelling from point A to point B.

Lenovo have now created a tool to remove the Superfish installation and rogue certificates and, many antivirus programs now detect the software as a potentially unwanted program (PUP).  You should check to see if your Lenovo computer has the Superfish software present and remove it.

Is that the end?

The Superfish fiasco could potentially be the tip of the iceberg in terms of insecure pre-installed software, more commonly referred to as “Bloatware”.   After the Superfish issue hit the headlines, Lenovo admitted that pre-installed software on their computers is not as rigorously tested for security issues compared to their own software.  This could potentially be the same with other manufacturers. 

What was most surprising was that this software was from a “trusted” source, even Forbes magazine rated the company behind Superfish as one of the most promising up and coming companies in America!  Typically, you would expect to find issues like this coming from malicious software (Malware).

You should always review and remove any pre-installed software that comes with your newly purchased computer systems.  Not only will it reduce the possibility of security issues such as Superfish, it will also free up system resources allowing your computer systems to run more efficiently.

If you have any queries about the Superfish security vulnerability or any other cyber security matters, contact us via hacksight@paconsulting.com.

References:

ttp://support.lenovo.com/us/en/product_security/superfish

http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

http://www.forbes.com/companies/superfish/ 

 

h

/