Lenovo Security Advisory - Superfish Vulnerability

[Corrine]

From Superfish Vulnerability - Lenovo Support (US):

Lenovo Security Advisory: LEN-2015-010
Potential Impact: Man-in-the-Middle Attack
Severity: High

Summary:

This advisory only applies to Lenovo Notebook products.

(ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.)

There was a press frenzy yesterday and continuing today about the inclusion of Superfish on 43 models of Lenovo products. Although the installation of Superfish (long considered a PUP, Potentially Unwanted Program) was known since September, it was only learned yesterday about the inclusion of the Superfish security certificate and, more importantly, that it could be used in a man-in-the-middle-attack (See Errata Security: Extracting the SuperFish certificate).

A search for Lenovo Superfish will include a long list of articles (there's also a topic at LzD with a number of references). In the event you recently purchased a Lenovo computer, there are a couple of tools available to see if your computer is 'infected', one being https://lastpass.com/superfish/.

Also see the LENOVO STATEMENT ON SUPERFISH as well as the linked uninstall instructions.

 

[Patrick]

Got my hands on a sample last night, will have a blog post up within the week sometime hopefully. Interestingly enough after messing with it for a bit, as of just a few hours ago, Windows Defender detects the certification, and flags it as compromised and ultimately falling under PUP.

Also...

Users are given a choice whether or not to use the product.

Lol, what?

 

[Corrine]

Ed Bott also got hold of a sample and tested it in a VM: Microsoft updates Windows Defender to remove Superfish infection.

The Microsoft security team worked OT on this one! Information from here:

Microsoft has added the Superfish software/certificate to Windows Defender 1.193.444.0, according to Italian CloudFlare Security Team member @FiloSottile.

https://twitter.com/FiloSottile/status/568800260111388672

Filippo Valsorda created the first website to check to see if your computer is infected with Superfish: https://filippo.io/Badfish/ (linked earlier)

In addition, products that are based on Superfish/komodia will be disabled with this update.

NOTE: Windows Defender is enabled by default in Windows 8, but Lenovo often disabled it to activate a bundled AV solution by Norton, McAfee, etc. In that case, you will have to reactivate Defender.

 

[Corrine]

Via Twitter, https://twitter.com/lenovo/status/568933623442878466

NEWS: Here's a direct link to automated Superfish removal tool--completely deletes Superfish & certificates Superfish Uninstall Instructions - Lenovo Support (US)

The link without the URL shortener: Superfish Uninstall Instructions - Lenovo Support (US)

 

[Patrick]

Had a bit of a laugh at the fact that Lenovo were almost essentially forced to provide source code for the remover application, otherwise everyone would just assume there was another Superfish in there, or not even use it :grin1:

In any case, it looks like Windows Defender's 1.193.444.0 definition is what included the detection and removal for Superfish - http://pastebin.com/raw.php?i=us7iXvkn

 

[Corrine]

As documented by Winchester73 here, it is advisable to run the Lenovo Removal tool as well because Windows Defender did not get all of the files.

 

[Corrine]

BTW, Lenovo is not the only vendor using the Komodia software installed root CA certificate in the system trust store. The bottom of this USCERT KB report lists additional vulnerable packages Vulnerability Note VU#529496 - Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys.

The https://filippo.io/Badfish/ test has been updated to check for all Komodia certs. For those curious, Filippo Valsorda explains how it works here: Komodia/Superfish SSL Validation is broken.

 

[x BlueRobot]

Anyone which is running the Komodia software is at risk.