Some Windows laptops made by Lenovo come pre-loaded with an adware program that exposes users to security risks.
The software, Superfish Visual Discovery, is designed to insert product ads into search results on other websites, including Google.
However, since Google and some other search engines use HTTPS (HTTP Secure), the connections between them and users' browsers are encrypted and cannot be manipulated to inject content.
To overcome this, Superfish installs a self-generated root certificate into the Windows certificate store and then acts as a proxy, re-signing all certificates presented by HTTPS sites with its own certificate. Because the Superfish root certificate is placed in the OS certificate store, browsers will trust all fake certificates generated by Superfish for those websites.
This is a classic man-in-the-middle technique of intercepting HTTPS communications that's also used on some corporate networks to enforce data leak prevention policies when employees visit HTTPS-enabled websites.
However, the problem with Superfish's approach is it uses the same root certificate with the same RSA key on all installations, according to Chris Palmer, a Google Chrome security engineer who investigated the issue. In addition, the RSA key is only 1024 bits long, which is considered cryptographically unsafe today because of advances in computing power.
The phasing out of SSL certificates with 1024-bit keys started several years ago, and the process has been accelerated recently. In January 2011, the U.S. National Institute of Standards and Technology said that digital signatures based on 1024-bit RSA keys should be disallowed after 2013.
Regardless of whether the private RSA key that corresponds to the Superfish root certificate can be cracked or not, there is the possibility that it could be recovered from the software itself, although this has not yet been confirmed.
If attackers obtain the RSA private key for the root certificate, they could launch man-in-the-middle traffic interception attacks against any user that has the application installed. This would allow them to impersonate any website by presenting a certificate signed with the Superfish root certificate that's now trusted by systems where the software is installed.
Man-in-the-middle attacks can be launched over insecure wireless networks or by compromising routers, which is not an uncommon occurrence.
"The saddest part about #superfish is it's only like 100 more lines of code to generate a unique fake CA signing cert for each system," said Marsh Ray, a security expert who works for Microsoft, on Twitter.
Another problem pointed out by users on Twitter is that even if Superfish is uninstalled, the root certificate it creates is left behind. This means affected users will have to manually remove it in order to be completely protected.
Sign up for CIO Asia eNewsletters.