Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Superfish security flaw also exists in other apps, non-Lenovo systems

Lucian Constantin | Feb. 23, 2015
On Thursday security researchers warned that an adware program called Superfish, which was preloaded on some Lenovo consumer laptops, opened computers to attack. However, it seems that the same poorly designed and flawed traffic interception mechanism used by Superfish is also used in other software programs.

The same removal instructions should be applied to all certificates installed by products that use the Komodia SDK, but identifying them is not easy and it's unlikely that all affected products have been found. Users shouldn't remove any of the legitimate certificates that are in the Windows or Firefox certificate stores, because that could generate certificate errors on legitimate websites.

It's not clear if any way will be found to fix this issue for all affected users that lets them avoid manually removing certificates. As Matthew Green, a cryptography professor at Johns Hopkins University, explains in a blog post, browser vendors can't simply blacklist the certificates in their respective browsers because the affected software would continue to re-sign legitimate certificates and this would generate certificate errors that would prevent users from connecting to websites.

Microsoft is also unlikely to push an update that removes legitimate programs from computers that were willingly installed by users, such as parental control applications, because that would set a dangerous precedent.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.