News about the recent Lenovo/Superfish/Komodia security issue keeps getting worse.
The Komodia software at the core of Superfish is even more of a security concern than was originally thought. Not only is its root certificate’s password trivially easy to crack, and common to all Superfish installs, it engages in some certificate validation trickery by which invalid certificates are simply deemed valid – without any warning to the user. Worse still, Komodia hides itself using rootkit techniques normally associated with the worst kinds of malware.
To top off this tale of ever-increasing woe, Komodia has been discovered in at least twelve more applications, including some that are supposed to make users more secure, like Comodo’s PrivDog and Lavasoft’s Ad-Aware Web Companion.
The companies involved in this mess are still scrambling. Lenovo has apologized for their actions, and has published Superfish removal instructions. Superfish is still denying there’s a problem. Komodia’s web site is off line, supposedly because of a DDoS attack, but that may be a smokescreen. Lavasoft has provided information about its use of Komodia, and will be issuing an update for Web Companion that will remove Komodia.
Stay tuned; this is likely to get much worse before it gets better.
Update 2015Feb27: The EFF has uncovered evidence showing that Superfish-related attacks have already occurred. Meanwhile, a hacker group briefly took over a Lenovo domain, causing corporate email to be misdirected. This was apparently done in the spirit of revenge against Lenovo for its actions in relation to Superfish.
Update 2015Feb28: Lenovo is now fully in damage control mode. They just released a statement patting themselves on the back for handling this problem so well, and they are promising to include less crapware on future computers. I wonder how long that promise will last.
Update 2015Mar08: It looks like Lenovo hasn’t done nearly enough to resolve this issue. It’s still possible to buy a new Lenovo laptop with Superfish installed.