On Thursday security researchers warned that an adware program called Superfish, which was preloaded on some Lenovo consumer laptops, opened computers to attack. However, it seems that the same poorly designed and flawed traffic interception mechanism used by Superfish is also used in other software programs.
Superfish uses a man-in-the-middle proxy component to interfere with encrypted HTTPS connections, undermining the trust between users and websites. It does this by installing its own root certificate in Windows and uses that certificate to re-sign SSL certificates presented by legitimate websites.
Security researchers found two major issues with this implementation. First, the software used the same root certificate on all systems and second, the private key corresponding to that certificate was embedded in the program and was easy to extract.
With the key now public, malicious hackers can launch man-in-the-middle attacks via public Wi-Fi networks or compromised routers against users who have Superfish installed on their systems.
But it gets worse. It turns out Superfish relied on a third-party component for the HTTPS interception functionality: an SDK (software development kit) called the SSL Decoder/Digestor made by an Israeli company called Komodia.
Researchers have now found that the same SDK is integrated into other software programs, including parental control software from Komodia itself and other companies. And as expected, those programs intercept HTTPS traffic in the same way, using a root certificate whose private key can easily be extracted from their memory or code.
Some users have started compiling lists with the affected software programs, their certificates and their private keys. Those affected products include Keep My Family Secure, Qustodio and Kurupira WebFilter.
“I think that at this point it is safe to assume that any SSL interception product sold by Komodia or based on the Komodia SDK is going to be using the same method,” said Marc Rogers, principal security researcher at CloudFlare, in a post on his personal blog. “It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.”
U.S. government gets involved
The CERT Coordination Center (CERT/CC) at Carnegie Mellon University, which is sponsored by the U.S. Department of Homeland Security, has issued a security advisory about the issue.
The main page on the Komodia website was replaced with a message that reads: “Site is offline due to DDOS with the recent media attention.”
Security researcher named Filippo Valsorda created a site where users can check if they’re affected by the Superfish issue, especially since the Superfish software was distributed in multiple ways, not just through Lenovo laptops. The site also contains instructions on how to remove the rogue Superfish root certificate from Windows and Firefox.
The same removal instructions should be applied to all certificates installed by products that use the Komodia SDK, but identifying them is not easy and it’s unlikely that all affected products have been found. Users shouldn’t remove any of the legitimate certificates that are in the Windows or Firefox certificate stores, because that could generate certificate errors on legitimate websites.
It’s not clear if any way will be found to fix this issue for all affected users that lets them avoid manually removing certificates. As Matthew Green, a cryptography professor at Johns Hopkins University, explains in a blog post, browser vendors can’t simply blacklist the certificates in their respective browsers because the affected software would continue to re-sign legitimate certificates and this would generate certificate errors that would prevent users from connecting to websites.
Microsoft is also unlikely to push an update that removes legitimate programs from computers that were willingly installed by users, such as parental control applications, because that would set a dangerous precedent.