December 22, 2024

Feedback Friday: Lenovo Preinstalled Superfish Adware on Laptops – Reactions

Posted on February 22, 2015 by in Security

For a period of several months, Lenovo shipped numerous laptop models with a piece of adware that broke HTTPS browsing and put users at risk. Now, the company has apologized to customers and provided them with instructions on how to remove the application.

Lenovo preloaded the WindowShopper browser add-on from Superfish thinking that customers would enjoy its features. However, many users were annoyed by it and started complaining on the Chinese manufacturer’s forums. After security researchers analyzed the software, they realized that it poses serious risks.

The adware injects ads into web pages by using a local proxy and a self-signed root certificate. Superfish actually replaces legitimate certificates with its own, making connections that should be secure untrusted.

Industry reactions to Superfish incident

Even more worrying is the fact that researchers have managed to extract the certificate’s private key. The private key can be used to sign potentially malicious websites and software that would be trusted on affected Lenovo notebooks.

Industry professionals pointed out that Lenovo should have known better not to install such software on its computers. Experts also noted that while this is a common practice, they hope that manufacturers will learn from the Superfish incident.

And the feedback begins…

Martijn Grooten, Editor at Virus Bulletin:

“Like most people working in security, I’m not very keen on the idea of ads in general and running third-party code on your computer or inside your browser in particular. But then, I accept that ads are part of the ecosystem and that pre-installing software that, as it is euphemistically called, “enhances user experience” makes laptops significantly cheaper.

Now injecting ads into a browser is bad enough, doing so by running an HTTPS proxy on the machine is a lot worse. HTTPS shouldn’t be touched unless it is for a very good reason – inserting ads is never a good reason.

But what makes it still orders of magnitude worse than that, is that their proxy uses the same certificate on all affected (or, perhaps more accurate, infected) PCs. Hence anyone can obtain the private key of the certificate – which, as people have already showed, isn’t rocket science – and use this to man-in-the-middle HTTPS traffic without the Lenovo user being aware.

The industry of bundled apps and programs is a complicated one and finding out what all the programs installed on the PCs you sell are up to might not be as easy as security researchers may suggest. But Lenovo should have been able to detect Superfish adding a SSL root certificate to the computer, as well as it running an HTTPS proxy on the local machine.”

George Baker, Director of Professional Services at Foreground Security:

“This was clearly a questionable design decision by Lenovo. Trusted manufacturers should know that building in a ‘man-in-the-middle’ feature is just that… highly questionable, regardless of the claimed benefit. And weak protection on the Superfish software’s own private key further undermines the system’s root of trust. If the software is present and trusted by the operating system, a knowledgeable attacker can exploit it at will.

That said, it’s good that it was caught early, after four months of production, and that Lenovo is taking some action. That should at least limit the number of users – and the amount of their private data – who are exposed.”

ThreatStream CTO Greg Martin:

“The latest Superfish debacle highlights the current strategy for device manufacturers across the electronics ecosystem looking to get their slice of the billion-dollar advertising revenue market that has made Google and others so successful. Unfortunately, like the case with Lenovo and many others, users’ privacy and security are compromised – often in secret – leaving them extremely vulnerable to malicious hackers who leverage the this type of tracking technology against them.

Unfortunately this won’t be the last we see of this type of story, but hopefully the publicity from Superfish will be enough to warn other like-minded manufacturers to take a more transparent approach and offer their users opt-out capabilities on future products that include embedded ad-tracking tech. Because Superfish was developed and licensed to Lenovo, it will be interesting to find out which other manufacturers are leveraging the Superfish technology in their products.”

Patrick Belcher, Director of Security Analytics, Invincea:

“The Lenovo and Superfish unwanted software debacle should serve as notice that there are dozens of ad companies that push spyware and toolbars, many of which exhibit rootkit-like properties and siphon off local user information to sell to advertising companies.

These programs are delivered like Trojan horses, bundled into innocuous applications with the sole intent of spying on and generating revenue at the expense of the user’s privacy. The ad companies purchase this siphoned data to deliver targeted advertising, and sometimes, malvertising to specific groups of users of the Internet.”

Ian Amit, Vice President at ZeroFOX:

“The Lenovo laptops that shipped with “Superfish” adware capable of snooping through the user’s encrypted web traffic are a very tangible threat to consumers and companies. People posting about their new Lenovo laptop on social media makes it easy for attackers to find them. Consequently, mapping those users’ home, work, and local coffee shops enables attackers to confidently launch man-in-the-middle attacks by abusing how Superfish allows snooping of encrypted web traffic (i.e. online banking, shopping, email, VPNs, etc).

We recommend that companies ensure their threat intelligence provide contextual data on their exposure as related to this vulnerability (employees, partners, locations, etc).”

Simon Crosby, CTO and co-founder of Bromium:

“It is high time for PC OEMs to accept that adware and other junk software installed in consumer devices is precisely the opposite of what their customers want, and that delivering a secure, non-intrusive, high quality product is valued by consumers. The Microsoft Surface Pro 3 is perhaps the antidote to the foolish behavior of PC vendors. It delivers the best that Microsoft offers, with no hidden scams.”

Grayson Milbourne, Webroot Security Intelligence Director:

“Sadly this is common practice in the industry. Customers aren’t informed this type of software is installed, leaving many users wondering how they have an infection on their brand new laptop when an anti-virus program picks it up. Consequently, this breeds a level of mistrust between the offending company and its customer base. In this case, users have aired their frustrations over social media channels – and it’s completely distracting from the quality products Lenovo manufactures.

In the past couple weeks, Lenovo has been forced to expend valuable time and resources managing backlash from the security community and customers. Undoubtedly, this is hurting the company’s bottom line and opening the door for competitors to claim privacy superiority.

If there’s a silver lining, it’s that this story will be a wake-up call for consumers. Whether its unwanted adware from the manufacture or hackers using malicious apps, they need to take precautions to know who is watching them on their own device.”

Steve Lowing, Director of Product Development at Promisec:

“Preinstalled software, such as adware like Superfish, must go through the same scrutiny as the shipping company (in this case Lenovo) would do for their own software in order to prevent these kinds of brand impacting missteps from happening. While it’s not exactly uncommon to see adware or promotional-ware software on new laptops these days, the times have changed where these once opt-in based services are not forced on us by default.

Coupling this tactic with poorly designed software that can carry out a “man-in-the-middle” attack on what is expected to be secured data is a potential lawsuit waiting to happen. Companies like Lenovo should know better than to pre-install this kind of software in the first place.”

Mark Parker, Senior Product Manager, iSheriff:

“The practice of pre-installing 3rd party software on PCs delivered to retail establishments, and direct shipped to business customers, presents a considerable risk. Given the choice, most consumers and businesses would choose not to have the 3rd party software installed. In the case of Lenovo and Superfish, we see an indication of exactly how dangerous that can be.

The man-in-the-middle certificate used made it such that every secure session was no longer private. In a day and age where corporate breaches are increasing, we should be seeking ways to limit our exposure, not pre-installing software that can create an attack vector.”

Chris Schweigert, Security Operations Director at EiQ Networks:

“The recent discovery of the Superfish application on Lenovo PC’s brings up the old best practices of installing a known, respectable copy of an operating system on your computer when you take it out of the box. Commercial off-the-shelf (COTS) applications have long been scrutinized by major enterprise environments and you simply cannot trust what you get from a manufacturer.

As a best practice, organizations should have a gold build install of all the authorized software for each new computer that comes in. You have to nuke the manufacturer installed applications and then re-install what you know to be trusted. Another advantage here is the ability to more easily identify changes to that baseline configuration on all your systems.”

Randy Abrams, Research Director at NSS Labs:

“It is disconcerting that virtually no anti-malware products were detecting Superfish, however the difference between malicious adware and acceptable adware is not ‘black and white.’ Not all behaviors are expected to be detected without a level of inspection that is not possible with the amount of malware being released daily. Vendors like Superfish employ teams of researchers to evade anti-malware products.

There are very likely many other adware products performing the exact same activities as Superfish. The primary motivation Superfish has is advertising revenue. This could have gone much worse for Lenovo if theft was the motivation for backdoors in third party software.

It is incumbent upon C-Level IT professionals to make sure there are well-defined processes and procedures for releasing third-party software on any medium. This must include tracking and auditing of third party vendors, monitoring their reputations and malware scanning with multiple products.

Coincidentally, the newly-formed Clean Software Alliance (CSA) will help in preventing this type of adware to go undetected. The CSA is a coalition of antimalware vendors, download bundlers and other members of the ‘adware’ ecosystem that are cooperating to set meaningful standards for ‘adware.’ Superfish’s conduct would preclude CSA approval.”

Muddu Sudhakar, Caspida CEO:

“U.S. computer manufacturers are getting a lot of push back from other countries for their hardware sales after scrutiny from incidents like those tied to the NSA and Snowden. Hardware vendors need to show beyond reasonable doubt that they are shipping high quality, highly secure products, eliminating backdoors in hardware and operating systems.

We need new third party certifications for hardware vendors who ship desktops/laptops or servers such as Lenovo, IBM, HP, and Apple. The third party certification should be robust and should be done independently of vendor companies and independently of government agencies.”

John Hultquist, Senior Manager, Cyber Espionage Threat Intelligence at iSIGHT Partners:

“We have noticed a trend affecting the software supply chain. The places people go to download applications or updates have been compromised on several occasions recently by cyber espionage actors who trojanize the software with their own malware. Chinese and Russian operators have swapped out everything from SCADA software to computer games, targeting very specific users as well as some opportunistic victims.”

John Pirc, Chief Strategy Office and Co-founder of Bricata:

“Based on the information surfacing about Superfish, administrators should inspect for where this application is installed and remove it. If you are using cloud based applications such as Microsoft Office 365 for Business or Google Apps for Work, enabling 2-step authentication offers additional protection in case your log-in credentials have been exposed. In the event someone is able to get your username and password they might try and log-in from another system; 2-step authentication would protect you from becoming further compromised.

This could also complicate matters for the Lenovo install base if they have a significant footprint within the U.S. government or federal contractors. My same recommendations for businesses apply in these sectors. However, I would strongly recommend that anyone in the USG and contractor community who uses a Lenovo PC and is involved with any sensitive projects should have their system checked for Superfish. Having the app installed may not mean they are compromised, but again, the main objective is reducing your risk.

Lenovo is a great company and it is unlikely they would knowingly place ‘malware’ on a system. Lenovo should have caught the Superfish issues earlier, via discussions in their user forums and I’m sure they are addressing the matter. Still, this does not discount the risk facing those who are at risk of a man-in-the-middle attack.”

Greg Hoffer, senior director of engineering, Globalscape:

“We put a lot of trust in technology, but this event is a reminder for everyone: take nothing for granted, and remain ever vigilant with the products you develop, integrate and purchase. There are ample industry standards available for security development and testing, independent security experts available to validate performance, and well-established protocols for production and operations. Assume nothing and put into action the old axiom, ‘Trust, but verify.’”

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Massive Oracle Security Update Lands on Microsoft Patch Tuesday

Posted on October 15, 2014 by in Security

Microsoft and Oracle customers will have their hands full applying a spate of security updates that were issued today.

Microsoft released eight security bulletins as part of Patch Tuesday, including critical updates for Internet Explorer, Windows and the .NET Framework. The bulletins address a total of 24 vulnerabilities, including a handful that is known to have already come under attack.

But the Microsoft release is dwarfed in size by the more than 150 security fixes issued today by Oracle. Within those patches are 31 fixes for the Oracle Database, several of which have a CVSS Base Score of 9.0.

“This CVSS 9.0 Base Score reflects instances where the user running the database has administrative privileges (as is typical with pre-12 Database versions on Windows),” explained Oracle Software Security Assurance Director Eric Maurice in a blog post. “When the database user has limited (or non-root) privilege, then the CVSS Base Score is 6.5 to denote that a successful compromise would be limited to the database and not extend to the underlying Operating System. Regardless of this decrease in the CVSS Base Score for these vulnerabilities for most recent versions of the database on Windows and all versions on Unix and Linux, Oracle recommends that these patches be applied as soon as possible because a wide compromise of the database is possible.”

The Oracle update also provides fixes for 25 new Java SE vulnerabilities, the most severe of which has a CVSS Base Score of 10.0. Out of the 25, 20 affect client-only deployments of Java SE, and two of these are browser specific. Four vulnerabilities meanwhile affect client and server deployments of Java SE, while on affects client and server deployments of JSSE, Maurice noted.

The remaining vulnerabilities impact: Oracle Fusion Middleware; Oracle Enterprise Manager Grid Control; Oracle E-Business Suite; Oracle Supply Chain Product Suite; Oracle PeopleSoft Enterprise; Oracle JDEdwards EnterpriseOne; Oracle Communications Industry Suite; Oracle Retail Industry Suite; Oracle Health Sciences Industry Suite; Oracle Primavera; Oracle and Sun Systems Product Suite; Oracle Linux and Virtualization and Oracle MySQL.

In the case of Microsoft, customers will have their hands full with issues of their own. Three of the bulletins released today by Microsoft are rated ‘critical’ – MS14-056, MS14-057 and MS14-058.

MS14-056 is the biggest of the updates, and addresses 14 privately-reported issues in Internet Explorer. The most severe of these could allow remote code execution of a user views a specially-crafted webpage using Internet Explorer.

“This is another Patch Tuesday that easily fuels future drive-by web attacks for the months ahead,” said Marc Maiffret, CTO of BeyondTrust. “Beyond just code execution there also exists the ability to bypass ASLR (Address Space Layout Randomization) which is a helpful OS security migration for exploitation. This ASLR bypass can be used in conjunction with other vulnerabilities for more successful exploitation where it had might not been possible in the past. It should be noted that Microsoft’s EMET technology will help mitigate some of these attacks and even more importantly these client application vulnerabilities are a great reminder of the need for Least Privilege in making sure users are not running as Administrator.”

MS14-56, he said, should be prioritized first, with the remaining critical updates coming next. MS14-058 contains fixes for two issues in Windows that are already known to be under attack.

“The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts,” according to Microsoft. “In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an email message or Instant Messenger message.”

The final critical bulletin is MS14-057, which addresses vulnerabilities in the .NET Framework. According to Microsoft, the most severe of these could allow remote code execution if an attacker sends a specially-crafted URI request containing international characters to a .NET web application. In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an application has to explicitly enable this functionality. In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.

The remaining bulletins are rated ‘Important’ and cover issues in Microsoft Windows, Developer Tools and Microsoft Office.

Adobe Systems also released patches today to address issues in Adobe Flash Player.

“Adobe is releasing an update to their Flash player with advisory APSB14-22, which addresses three RCE [remote code execution] type vulnerabilities,” blogged Qualys CTO Wolfgang Kandek. “Installations that run the newer Internet Explorer 10 and 11 get this update automatically. Users of older browsers or on other operating systems should apply this critical update manually.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Advantages and drawbacks regarding the Access Application for SharePoint 2013

Posted on October 14, 2014 by in SharePoint

Tags: SharePoint 2013
Enterprise Personal & Collaboration

Why are Accessibility 2013 Apps Great? Below tend to be a couple of elements …

They’ve a SQL online host backend
You can use SQL online server Reporting Solutions, Excel or any other products that uphold SQL Azure or SQL internet host over ODBC to create reports regarding the Access Application information
Once you utilize App Layouts or Tables, places as well as navigation are produced available
There are some new relevant Product commands which make framework views effortless and they have a constant appearance and feel
One Click Production!
The appearance capability is created in and also is user-friendly

test database templates

What tend to be SharePoint 2013 Apps?

It enables designers to develop custom-made applications that would be released toward Workplace shop for general public download or even to the organization mag which can be a business’s internal Application Brochure Site after that users can download all of them with their SharePoint web pages. Included in the out-of-box apps is an Accessibility Application which makes it easy for Access 2013 data resources to be included to SharePoint 2013 internet sites.

Precisely what may be the Access App?

This out-of-box, no-code application allows us to put Gain access to data resources into SharePoint and comes with some really great functions (step-by-step over) that I will truly get involved in slightly more specific within the next parts. The event of the application will be provide a much more dependable, quicker also durable option for placing relational information directly into SharePoint with no issue of creating including creating one thing from the floor up. Microsoft Office get access to 2013 includes a few themes for Accessibility internet Apps along with tables which will get you began.

Top Get Access To App Work

It’s an incredible dissimilar to generating an inventory in SharePoint whenever you comprehend it will increase to-be a “large listing”. Not only does it help deal with big directories including provide fast option of the information, it also enables outside SQL Server including SQL Azure suffered resources getting option of the data.

Want to know just how it works?

When you produce the application in Microsoft Workplace Access 2013, you decide on the internet site where it will definitely live.
In the process introducing the program to SharePoint, a SQL database is provisioned that may house all the items and data that application requires.
The database that’s produced is particular to your application also automatically maybe not shown other programs.
Once you develop a table within application, a table is created inside repository.
Once you generate a question within app, a SQL host Sight is produced or if perhaps your inquiry takes a parameter, a table-valued function is developed.
Whenever you produce a Standalone Macro within application, a Stored treatment is done in SQL online server.
Sights in Accessibility will be the the different parts of your app that show the information within the internet browser. They’re in addition kept in the information supply but as message simply because tend to be HTML and JavaScript as opposed to SQL items.

Save & Publish

Other Really Fantastic Benefits which can be Well Worth Mentioning

When establishing the get access to Application, you are able to choose from one of several easy as really as quick templates or start from scratch amongst a personalized software. That’s it, in just a couple of ticks you have got an operating SharePoint Application. Either technique, once you’ve in fact designed your database, mouse click release Application and also you have actually a no-code software in SharePoint that consist of a search device.

It makes it possible for designers to create custom applications that can be posted to your Office Establishment for community down load or even the Corporate Catalog that is a business’s interior Application mag Site then users can install all of them to their SharePoint internet sites. Consisted of within the out-of-box apps is an Accessibility App that makes it easy for Accessibility 2013 information resources become put into SharePoint 2013 web pages.

Microsoft Workplace Access 2013 comprises of a few themes for Accessibility online Applications and tables that undoubtedly acquire you started.

When building the Access App, you’ll pick from among simple as well as fast design templates or start from scrape with a personalized application. Regardless, once you’ve made your database, mouse click Introduce Application including you’ve got a no-code software in SharePoint that features a search device.

By Amy Sawtell, December 10, 2013
Source: http://www.cardinalsolutions.com/cardinal/blog/portals/2013/12/the_pros_and_consof.html

The Windows Mobile Strategy For Microsoft Office 2013

Posted on February 2, 2013 by in Blog

Is Microsoft Office 2013 Working

Microsoft is pinching CIOs by not providing an easy way to run the just released Microsoft Office 2013 except on Windows RT, the operating system for its Surface tablets. With little cross-platform integration, Microsoft is creating an opening for vendors that have a clearer path for a complete mobile workflow.Outlook is the killer app for Microsoft, but the company has not shown any interest in releasing it for Office on the Surface or any other mobile device, said Analyst Esteban Kolsky, Founder of ThinkJar. Instead, Microsoft makes the case for Office365 in the cloud. But so far it only has 20 to 30 percent of the functionality that a customer would get with the desktop version of Microsoft Office. See Sarah Perez’s article for her take on the latest from Office365.

Forrester Research Analyst Phil Karcher said to me in an email that Microsoft does have a complete suite of mobile apps for Windows RT and Windows Phone, but only has Lync and OneNote apps for iOS and Android devices. It has improved browser access to SharePoint 2013, which benefits users on Android and iOS. However, it does not have mobile versions of its core office productivity applications — Word, Excel, PowerPoint on iOS and Android. He sees it as a matter of time before Microsoft opens up more to other platforms.

But Karcher said that competitors have a mixed bag, too:

Google Drive has more editing functionality on Android devices than it does on iOS today. It only introduced editing capabilities for its iOS app in September, and to my understanding only supports docs, not spreadsheets or presentations. IBM Docs has native apps with comprehensive functionality for iOS and Android today, including collaborative document editing from those devices. But a major complaint from users in general is that they want compatibility with their documents formats. Both Google and Android have the advantage of native mobile apps on popular platforms and continue to present alternatives to Microsoft for office productivity in general. But any first mover advantage in mobile support I suspect may be short-lived.

Zoho Evangelist Raju Vegesna said similarly that Windows Phone’s poor market share is a main factor in how Office fares, especially as the desktop recedes in importance:

With Windows Phone share lingering at less than 5 percent and with no iOS and Android versions of Office, users will look for alternatives. Remember, mobile share is going to be more important than desktop marketshare moving forward. Countries like India have 10x more mobile users than desktop users.

I’d love to see Office365 become something important. That would be a shift. The issue for Office comes down to portability. I should be able to open any document, on any device and have an experience that makes the mobile workflow somewhat seamless.

But in truth, not one vendor has the mobile workflow working. It is still a mix of vendors, providing different tools in their various suites. IBM Dominos, for instance, integrates with IBM Traveler, its mobile software for pushing email to mobile devices. IBM Docs integrates OpenSocial, providing a clean web experience. But at least one IBM customer I talked to uses SAP Afaria to manage its mobile devices. That shows the mix that we will continue to see as customers seek out their own workflows for connecting employees and their mobile devices.

Original Page: http://t.co/hjRmxbHu

How you can open Word 2007 documents in Word 2003.

Posted on December 19, 2012 by in Microsoft Office

Maybe you have attempted to spread out Word 2007 documents in Word 2003? if so, this publish can help you a great deal. Lately Microsoft has released more recent form of its world popular Microsoft ‘office’ pack. The more recent version is known as as Microsoft Office 2007 and Microsoft Office 2010. This edition provides more features and nice searching interface as in comparison to the previous versions. The majority of home windows computer customers have Microsoft Office 2003 pack already placed on their computer systems. However, many segment laptop or computer customers has began to make use of MS Word 2007 pack on computer systems. While focusing on a pc running Microsoft Office 2007 pack, a document is held in .docx data format which cannot be opened up on Microsoft office 2003 computer systems designed to use .doc format for documents.Whenever you send or share .docx document with another user getting Microsoft Office 2003 pack, he’s not able to spread out the .docx document received. This produces great discomfort. Wish to consider discuss new ways to open word 2007 documents in word 2003. You are able to follow anyone step according to your convenience to spread out word 2007 document in word 2003 pack:

1. By utilizing Save as word97-2003 option

If you’re focusing on a document, it can save you this document in .doc data format. Just begin to see the Save As possibilities in MS word 2007. You will notice a choice named Word 97-2003. Make use of this option, your document is going to be held in .doc document format.

2. By utilizing Data Format Converters

You are able to download different data format ripper tools available on the web. Using a data format ripper tools, you’ll have the ability to convert any .docx file to preferred format.

3. By Setting up compatibility pack

Microsoft is well familiar relating to this problem faced by computer customers. To come across this issue, Microsoft provides Microsoft Office compatibility pack. You are able to install compatibility pack came from here. Then you’ll have the ability to open .docx document files on the computer running Microsoft Office 2003 pack. Besides you’ll have the ability to open Microsoft Office 2007 Ms powerpoint, Stand out files in Microsoft office 2003 pack. This can give a permanent means to fix these complaints.

To Download Microsoft Office compatibility pack, please follow this link.

Source: http://techcreak.com/how-to-open-word-2007-documents-in-word-2003.html