A new interview with Lenovo's Windows Ecosystem Vice President Mark Cohen has shed light on precisely how the Superfish software ended up on the company's laptops -- but it's not likely to calm any tempers with its explanation. According to Cohen, Lenovo knew Superfish contained features that abused SSL connections before it ever launched the software on any system. The massive OEM then requested that Superfish disable these features, but failed to confirm that Superfish ever actually did so.
Cohen told Infoworld(Opens in a new window) that Lenovo apparently performs extensive validation and security testing on its own in-house applications, as one might expect, but puts third-party software through a much less rigorous procedure. The company has pledged to amend this practice immediately, and says it will now put all third-party applications through the same process. Lenovo's explanation does nothing to absolve the company, but illustrates just how poorly it performed due diligence. The fact that Superfish performed SSL hijacking for no credible reason should have been an enormous red flag that killed any chance of bundling the software. The failure to follow up with the company to make certain that the SSL-breaking certificates had actually been removed is incompetence elevated to an art form.
Komodia's self-description of its capabilities includes some gems.
Writing for Slate(Opens in a new window), David Auerbach has traced the different ways that Lenovo, Superfish, and Komodia have all responded to this crisis. In Lenovo's case, the company initially strongly denied any issue, only to pivot from full-throated denial to full-on apology within a matter of days as criticism mounted and it became clear just how terrible the security compromise was. Superfish CEO Adi Pinhas, in contrast, blamed "false and misleading statements made by some media commentators and bloggers" for the perception that Superfish was a security risk before vanishing off the radar. Attempts to reach Pinhas or the Superfish offices have been unsuccessful.
Komodia's chief author, Barak Weichselbaum, maintained a blog(Opens in a new window) in which he openly wrote about working on an SSL Hijacker, stating at one point in 2009 that "Good news is that our SSL hijacker has entered beta stage and is now working quite good, some fixes are still needed to make it work great but that's quite an achievement, specialy [sic] that there's no other product on the market that does that, without alerting the user that is."
Komodia openly admitted that it sold SSL hijackers and data mining software. Superfish chose to integrate these tools into its own software -- and it's not the only company that did so.The ripples spread
Multiple companies integrated Komodia software, sometimes to darkly ironic effect. A legitimate certificate authority, Comodo Group, has ties to an advertising client (PrivDog) with an even worse security flaw -- despite the fact that the Comodo Group is known for producing Internet security software. In essence, this means that a web security company has ties to a company with an even larger security-destroying flaw. The same man, Melih Abdulhayoglu, is the CEO of both Comodo Group and AdTrustMedia, PrivDog's creator.
LavaSoft, makers of Ad-Aware (granddaddy of anti-spyware software), has also come clean about Komodia's integration in its Ad-Aware Web Companion. The company claims it intended to use the product for good (and anti-virus scanners do sometimes install root certificates as part of their operation). The problem isn't that all web certificates are bad, but that Komodia distributed an identical, badly flawed security system as part of its behavior.
LavaSoft, to its credit, came clean and acknowledged the problem, but it's almost certainly not going to be the only company that discovers it has this malware wrapped around its own software packages.
It's tempting to look for neat, single failures in a story like this. But the deeper story is actually the greater threat. One clueless hacker with profoundly terrible judgment built an SSL hijacker with minimal, broken security. He distributed that product to over a dozen software companies who used it for various purposes without performing due diligence. That software was then purchased by other parties (Lenovo, most prominently) who trusted that these other firms had done their homework.
The only way for Lenovo to earn consumers' trust back is to commit itself publicly and vocally to securing its products and performing the kind of security analysis that customers have every right to expect from any computing product they buy from such a large and trusted vendor. People may be willing to grit their teeth and tolerate bloatware in exchange for cheaper prices, but no one is going to buy systems that run the risk of being so fundamentally flawed.Tagged In
PrivDog Comodo Group Lenovo Komodia AdwareMore from Internet & Security
