For a period of several months, Lenovo shipped numerous laptop models with a piece of adware that broke HTTPS browsing and put users at risk. Now, the company has apologized to customers and provided them with instructions on how to remove the application.

Lenovo preloaded the WindowShopper browser add-on from Superfish thinking that customers would enjoy its features. However, many users were annoyed by it and started complaining on the Chinese manufacturer’s forums. After security researchers analyzed the software, they realized that it poses serious risks.

The adware injects ads into web pages by using a local proxy and a self-signed root certificate. Superfish actually replaces legitimate certificates with its own, making connections that should be secure untrusted.

Even more worrying is the fact that researchers have managed to extract the certificate’s private key. The private key can be used to sign potentially malicious websites and software that would be trusted on affected Lenovo notebooks.

Industry professionals pointed out that Lenovo should have known better not to install such software on its computers. Experts also noted that while this is a common practice, they hope that manufacturers will learn from the Superfish incident.

And the feedback begins…

Martijn Grooten, Editor at Virus Bulletin:

“Like most people working in security, I’m not very keen on the idea of ads in general and running third-party code on your computer or inside your browser in particular. But then, I accept that ads are part of the ecosystem and that pre-installing software that, as it is euphemistically called, “enhances user experience” makes laptops significantly cheaper.

Now injecting ads into a browser is bad enough, doing so by running an HTTPS proxy on the machine is a lot worse. HTTPS shouldn’t be touched unless it is for a very good reason – inserting ads is never a good reason.

But what makes it still orders of magnitude worse than that, is that their proxy uses the same certificate on all affected (or, perhaps more accurate, infected) PCs. Hence anyone can obtain the private key of the certificate – which, as people have already showed, isn’t rocket science – and use this to man-in-the-middle HTTPS traffic without the Lenovo user being aware.

The industry of bundled apps and programs is a complicated one and finding out what all the programs installed on the PCs you sell are up to might not be as easy as security researchers may suggest. But Lenovo should have been able to detect Superfish adding a SSL root certificate to the computer, as well as it running an HTTPS proxy on the local machine.”

George Baker, Director of Professional Services at Foreground Security:

“This was clearly a questionable design decision by Lenovo. Trusted manufacturers should know that building in a ‘man-in-the-middle’ feature is just that… highly questionable, regardless of the claimed benefit. And weak protection on the Superfish software’s own private key further undermines the system’s root of trust. If the software is present and trusted by the operating system, a knowledgeable attacker can exploit it at will.

That said, it’s good that it was caught early, after four months of production, and that Lenovo is taking some action. That should at least limit the number of users – and the amount of their private data – who are exposed.”

ThreatStream CTO Greg Martin:

“The latest Superfish debacle highlights the current strategy for device manufacturers across the electronics ecosystem looking to get their slice of the billion-dollar advertising revenue market that has made Google and others so successful. Unfortunately, like the case with Lenovo and many others, users’ privacy and security are compromised – often in secret – leaving them extremely vulnerable to malicious hackers who leverage the this type of tracking technology against them.

Unfortunately this won’t be the last we see of this type of story, but hopefully the publicity from Superfish will be enough to warn other like-minded manufacturers to take a more transparent approach and offer their users opt-out capabilities on future products that include embedded ad-tracking tech. Because Superfish was developed and licensed to Lenovo, it will be interesting to find out which other manufacturers are leveraging the Superfish technology in their products.”

Patrick Belcher, Director of Security Analytics, Invincea:

“The Lenovo and Superfish unwanted software debacle should serve as notice that there are dozens of ad companies that push spyware and toolbars, many of which exhibit rootkit-like properties and siphon off local user information to sell to advertising companies.

These programs are delivered like Trojan horses, bundled into innocuous applications with the sole intent of spying on and generating revenue at the expense of the user’s privacy. The ad companies purchase this siphoned data to deliver targeted advertising, and sometimes, malvertising to specific groups of users of the Internet.”

Ian Amit, Vice President at ZeroFOX:

“The Lenovo laptops that shipped with “Superfish” adware capable of snooping through the user’s encrypted web traffic are a very tangible threat to consumers and companies. People posting about their new Lenovo laptop on social media makes it easy for attackers to find them. Consequently, mapping those users’ home, work, and local coffee shops enables attackers to confidently launch man-in-the-middle attacks by abusing how Superfish allows snooping of encrypted web traffic (i.e. online banking, shopping, email, VPNs, etc).

We recommend that companies ensure their threat intelligence provide contextual data on their exposure as related to this vulnerability (employees, partners, locations, etc).”

Simon Crosby, CTO and co-founder of Bromium:

“It is high time for PC OEMs to accept that adware and other junk software installed in consumer devices is precisely the opposite of what their customers want, and that delivering a secure, non-intrusive, high quality product is valued by consumers. The Microsoft Surface Pro 3 is perhaps the antidote to the foolish behavior of PC vendors. It delivers the best that Microsoft offers, with no hidden scams.”

Grayson Milbourne, Webroot Security Intelligence Director:

“Sadly this is common practice in the industry. Customers aren’t informed this type of software is installed, leaving many users wondering how they have an infection on their brand new laptop when an anti-virus program picks it up. Consequently, this breeds a level of mistrust between the offending company and its customer base. In this case, users have aired their frustrations over social media channels – and it’s completely distracting from the quality products Lenovo manufactures.

In the past couple weeks, Lenovo has been forced to expend valuable time and resources managing backlash from the security community and customers. Undoubtedly, this is hurting the company’s bottom line and opening the door for competitors to claim privacy superiority.

If there’s a silver lining, it’s that this story will be a wake-up call for consumers. Whether its unwanted adware from the manufacture or hackers using malicious apps, they need to take precautions to know who is watching them on their own device.”

Steve Lowing, Director of Product Development at Promisec:

“Preinstalled software, such as adware like Superfish, must go through the same scrutiny as the shipping company (in this case Lenovo) would do for their own software in order to prevent these kinds of brand impacting missteps from happening. While it’s not exactly uncommon to see adware or promotional-ware software on new laptops these days, the times have changed where these once opt-in based services are not forced on us by default.

Coupling this tactic with poorly designed software that can carry out a “man-in-the-middle” attack on what is expected to be secured data is a potential lawsuit waiting to happen. Companies like Lenovo should know better than to pre-install this kind of software in the first place.”

Mark Parker, Senior Product Manager, iSheriff:

“The practice of pre-installing 3rd party software on PCs delivered to retail establishments, and direct shipped to business customers, presents a considerable risk. Given the choice, most consumers and businesses would choose not to have the 3rd party software installed. In the case of Lenovo and Superfish, we see an indication of exactly how dangerous that can be.

The man-in-the-middle certificate used made it such that every secure session was no longer private. In a day and age where corporate breaches are increasing, we should be seeking ways to limit our exposure, not pre-installing software that can create an attack vector.”

Chris Schweigert, Security Operations Director at EiQ Networks:

“The recent discovery of the Superfish application on Lenovo PC’s brings up the old best practices of installing a known, respectable copy of an operating system on your computer when you take it out of the box. Commercial off-the-shelf (COTS) applications have long been scrutinized by major enterprise environments and you simply cannot trust what you get from a manufacturer.

As a best practice, organizations should have a gold build install of all the authorized software for each new computer that comes in. You have to nuke the manufacturer installed applications and then re-install what you know to be trusted. Another advantage here is the ability to more easily identify changes to that baseline configuration on all your systems.”

Randy Abrams, Research Director at NSS Labs:

“It is disconcerting that virtually no anti-malware products were detecting Superfish, however the difference between malicious adware and acceptable adware is not ‘black and white.’ Not all behaviors are expected to be detected without a level of inspection that is not possible with the amount of malware being released daily. Vendors like Superfish employ teams of researchers to evade anti-malware products.

There are very likely many other adware products performing the exact same activities as Superfish. The primary motivation Superfish has is advertising revenue. This could have gone much worse for Lenovo if theft was the motivation for backdoors in third party software.

It is incumbent upon C-Level IT professionals to make sure there are well-defined processes and procedures for releasing third-party software on any medium. This must include tracking and auditing of third party vendors, monitoring their reputations and malware scanning with multiple products.

Coincidentally, the newly-formed Clean Software Alliance (CSA) will help in preventing this type of adware to go undetected. The CSA is a coalition of antimalware vendors, download bundlers and other members of the ‘adware’ ecosystem that are cooperating to set meaningful standards for ‘adware.’ Superfish’s conduct would preclude CSA approval.”

Muddu Sudhakar, Caspida CEO:

“U.S. computer manufacturers are getting a lot of push back from other countries for their hardware sales after scrutiny from incidents like those tied to the NSA and Snowden. Hardware vendors need to show beyond reasonable doubt that they are shipping high quality, highly secure products, eliminating backdoors in hardware and operating systems.

We need new third party certifications for hardware vendors who ship desktops/laptops or servers such as Lenovo, IBM, HP, and Apple. The third party certification should be robust and should be done independently of vendor companies and independently of government agencies.”

John Hultquist, Senior Manager, Cyber Espionage Threat Intelligence at iSIGHT Partners:

“We have noticed a trend affecting the software supply chain. The places people go to download applications or updates have been compromised on several occasions recently by cyber espionage actors who trojanize the software with their own malware. Chinese and Russian operators have swapped out everything from SCADA software to computer games, targeting very specific users as well as some opportunistic victims.”

John Pirc, Chief Strategy Office and Co-founder of Bricata:

“Based on the information surfacing about Superfish, administrators should inspect for where this application is installed and remove it. If you are using cloud based applications such as Microsoft Office 365 for Business or Google Apps for Work, enabling 2-step authentication offers additional protection in case your log-in credentials have been exposed. In the event someone is able to get your username and password they might try and log-in from another system; 2-step authentication would protect you from becoming further compromised.

This could also complicate matters for the Lenovo install base if they have a significant footprint within the U.S. government or federal contractors. My same recommendations for businesses apply in these sectors. However, I would strongly recommend that anyone in the USG and contractor community who uses a Lenovo PC and is involved with any sensitive projects should have their system checked for Superfish. Having the app installed may not mean they are compromised, but again, the main objective is reducing your risk.

Lenovo is a great company and it is unlikely they would knowingly place ‘malware’ on a system. Lenovo should have caught the Superfish issues earlier, via discussions in their user forums and I’m sure they are addressing the matter. Still, this does not discount the risk facing those who are at risk of a man-in-the-middle attack.”

Greg Hoffer, senior director of engineering, Globalscape:

“We put a lot of trust in technology, but this event is a reminder for everyone: take nothing for granted, and remain ever vigilant with the products you develop, integrate and purchase. There are ample industry standards available for security development and testing, independent security experts available to validate performance, and well-established protocols for production and operations. Assume nothing and put into action the old axiom, ‘Trust, but verify.’”

Tags:

• NEWS & INDUSTRY
• Virus & Malware

Microsoft and Oracle customers will have their hands full applying a spate of security updates that were issued today.

Microsoft released eight security bulletins as part of Patch Tuesday, including critical updates for Internet Explorer, Windows and the .NET Framework. The bulletins address a total of 24 vulnerabilities, including a handful that is known to have already come under attack.

But the Microsoft release is dwarfed in size by the more than 150 security fixes issued today by Oracle. Within those patches are 31 fixes for the Oracle Database, several of which have a CVSS Base Score of 9.0.

“This CVSS 9.0 Base Score reflects instances where the user running the database has administrative privileges (as is typical with pre-12 Database versions on Windows),” explained Oracle Software Security Assurance Director Eric Maurice in a blog post. “When the database user has limited (or non-root) privilege, then the CVSS Base Score is 6.5 to denote that a successful compromise would be limited to the database and not extend to the underlying Operating System. Regardless of this decrease in the CVSS Base Score for these vulnerabilities for most recent versions of the database on Windows and all versions on Unix and Linux, Oracle recommends that these patches be applied as soon as possible because a wide compromise of the database is possible.”

The Oracle update also provides fixes for 25 new Java SE vulnerabilities, the most severe of which has a CVSS Base Score of 10.0. Out of the 25, 20 affect client-only deployments of Java SE, and two of these are browser specific. Four vulnerabilities meanwhile affect client and server deployments of Java SE, while on affects client and server deployments of JSSE, Maurice noted.

The remaining vulnerabilities impact: Oracle Fusion Middleware; Oracle Enterprise Manager Grid Control; Oracle E-Business Suite; Oracle Supply Chain Product Suite; Oracle PeopleSoft Enterprise; Oracle JDEdwards EnterpriseOne; Oracle Communications Industry Suite; Oracle Retail Industry Suite; Oracle Health Sciences Industry Suite; Oracle Primavera; Oracle and Sun Systems Product Suite; Oracle Linux and Virtualization and Oracle MySQL.

In the case of Microsoft, customers will have their hands full with issues of their own. Three of the bulletins released today by Microsoft are rated ‘critical’ – MS14-056, MS14-057 and MS14-058.

MS14-056 is the biggest of the updates, and addresses 14 privately-reported issues in Internet Explorer. The most severe of these could allow remote code execution of a user views a specially-crafted webpage using Internet Explorer.

“This is another Patch Tuesday that easily fuels future drive-by web attacks for the months ahead,” said Marc Maiffret, CTO of BeyondTrust. “Beyond just code execution there also exists the ability to bypass ASLR (Address Space Layout Randomization) which is a helpful OS security migration for exploitation. This ASLR bypass can be used in conjunction with other vulnerabilities for more successful exploitation where it had might not been possible in the past. It should be noted that Microsoft’s EMET technology will help mitigate some of these attacks and even more importantly these client application vulnerabilities are a great reminder of the need for Least Privilege in making sure users are not running as Administrator.”

MS14-56, he said, should be prioritized first, with the remaining critical updates coming next. MS14-058 contains fixes for two issues in Windows that are already known to be under attack.

“The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts,” according to Microsoft. “In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an email message or Instant Messenger message.”

The final critical bulletin is MS14-057, which addresses vulnerabilities in the .NET Framework. According to Microsoft, the most severe of these could allow remote code execution if an attacker sends a specially-crafted URI request containing international characters to a .NET web application. In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an application has to explicitly enable this functionality. In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.

The remaining bulletins are rated ‘Important’ and cover issues in Microsoft Windows, Developer Tools and Microsoft Office.

Adobe Systems also released patches today to address issues in Adobe Flash Player.

“Adobe is releasing an update to their Flash player with advisory APSB14-22, which addresses three RCE [remote code execution] type vulnerabilities,” blogged Qualys CTO Wolfgang Kandek. “Installations that run the newer Internet Explorer 10 and 11 get this update automatically. Users of older browsers or on other operating systems should apply this critical update manually.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Forrester Research Analyst Phil Karcher said to me in an email that Microsoft does have a complete suite of mobile apps for Windows RT and Windows Phone, but only has Lync and OneNote apps for iOS and Android devices. It has improved browser access to SharePoint 2013, which benefits users on Android and iOS. However, it does not have mobile versions of its core office productivity applications — Word, Excel, PowerPoint on iOS and Android. He sees it as a matter of time before Microsoft opens up more to other platforms.

But Karcher said that competitors have a mixed bag, too:

Google Drive has more editing functionality on Android devices than it does on iOS today. It only introduced editing capabilities for its iOS app in September, and to my understanding only supports docs, not spreadsheets or presentations. IBM Docs has native apps with comprehensive functionality for iOS and Android today, including collaborative document editing from those devices. But a major complaint from users in general is that they want compatibility with their documents formats. Both Google and Android have the advantage of native mobile apps on popular platforms and continue to present alternatives to Microsoft for office productivity in general. But any first mover advantage in mobile support I suspect may be short-lived.

Zoho Evangelist Raju Vegesna said similarly that Windows Phone’s poor market share is a main factor in how Office fares, especially as the desktop recedes in importance:

With Windows Phone share lingering at less than 5 percent and with no iOS and Android versions of Office, users will look for alternatives. Remember, mobile share is going to be more important than desktop marketshare moving forward. Countries like India have 10x more mobile users than desktop users.

I’d love to see Office365 become something important. That would be a shift. The issue for Office comes down to portability. I should be able to open any document, on any device and have an experience that makes the mobile workflow somewhat seamless.

But in truth, not one vendor has the mobile workflow working. It is still a mix of vendors, providing different tools in their various suites. IBM Dominos, for instance, integrates with IBM Traveler, its mobile software for pushing email to mobile devices. IBM Docs integrates OpenSocial, providing a clean web experience. But at least one IBM customer I talked to uses SAP Afaria to manage its mobile devices. That shows the mix that we will continue to see as customers seek out their own workflows for connecting employees and their mobile devices.

Original Page: http://t.co/hjRmxbHu