Lenovo Quietly Deletes That Bit About 'No Security Concerns' To Superfish… While Superfish Says 'No Consumers Vulnerable'
from the own-it dept
Wednesday night, the security world blew up with the news (which had actually been out there for a while), that the adware/malware Superfish that Lenovo had been installing by default on many laptops included a massive and dangerous security vulnerability by installing its own, self-signed root HTTPS certificate, and then basically mounting a man in the middle attack on every single HTTPS connection — and doing so with an easily hacked certificate, creating a giant vulnerability for anyone owning one of those laptops. We were shocked at the tone-deafness of Lenovo’s initial response, which didn’t even name which laptops Superfish was installed on, and made this blatantly bullshit statement:
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.
However, within hours, Lenovo had quietly updated its statement to remove that line. The company is now also (finally) admitting which laptops were infected and put together a page about how to remove the software and the rogue certificate. That’s better, but Lenovo should at least apologize, which it has not done, and admit that it was completely full of shit in insisting that there was no security concern.
Speaking of which, Superfish has remained remarkably quiet as well. At the time I write this, there is nothing about this on its website, and it’s only given a ridiculously misleading statement to reporters:
Superfish has not been active on Lenovo laptops since December. We standby this Lenovo statement: http://news.lenovo.com/article_display.cfm?article_id=1929.
It is important to note: Superfish is completely transparent in what our software does and at no time were consumers vulnerable?we stand by this today. Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrongdoing on our end.
First of all, at the time it “stood by” the Lenovo statement, that statement was blatantly false in claiming that there were no security concerns. Similarly, it’s simply not at all true that Superfish is “completely transparent” because no one knew that it was inserting its own self-signed certificate and using it on every HTTPS connection. Furthermore, consumers absolutely were vulnerable.
Finally, there’s Komodia. As Robert Graham discovered when he hacked the Superfish certificate, the password is “komodia” which just happens to be a company that sells a product for… creating these kinds of man in the middle attacks on HTTPS connections, mainly for parental spyware. The company is also entirely silent on this stuff. Its website looks like it hasn’t been updated recently. It has various blogs and a Facebook page, none of which appear to have been updated since 2013.
However, as security researchers are discovering, Komodia’s tool is being used in other crappy spyware/malware and always in the same terrible manner — all using the password “komodia.” As Marc Rogers notes:
What does this mean? Well, this means that those dodgy certificates aren?t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.
This problem is MUCH bigger than we thought it was.
The software known to use Komodia are Komidia’s own “Keep My Family Secure,” Qustodio’s parental control software and the Kurupira Webfiler — all of which likely are very vulnerable thanks to this idiotic implementation.
Lenovo, Superfish and Komodia all have done a piss poor job taking responsibility for the massive security vulnerability they created.