PrivDog SSL compromise potentially worse than Superfish
Some versions of PrivDog software designed to block online ads compromise internet security in a similar way to Superfish
Some versions of PrivDog software, which is designed to block online ads from untrusted sources, compromises internet security in a similar way to Superfish but could be a greater threat, according to security researchers.
Like the Superfish software that was pre-installed on some Lenovo computers, PrivDog compromises the secure sockets layer (SSL) protocol used to secure online transactions.
Researchers found that in the process of replacing untrusted advertisements with ads from trusted sources, some versions of PrivDog make users vulnerable to attack.
While Superfish uses the same root certificate across all deployments, PrivDog does not validate certificates and will therefore accept rogue certificates that would normally raise security alerts.
“PrivDog is, in every sense, as malicious as Superfish. It intercepts and decrypts supposedly secure communication between the browser and a remote site (such as the user’s bank), ostensibly to insert its own advertising into pages in the browser,” said Simon Crosby, founder and co-founder of security firm Bromium.
“It is substantially more scary though because PrivDog effectively turns your browser into one that accepts every HTTPS certificate out there without checking its validity, increasing vulnerability to phishing attacks, for example,” he said.
PrivDog said in a statement that the vulnerability might affect more than 57,000 users and “potentially affects a very limited number of websites”.
However, the company said the issue has been corrected and that the update will be issued on 24 February 2015 to update all users of the affected versions of PrivDog.
“The potential issue has already been corrected. There will be an update [on 24 February] which will automatically update all 57,568 users of these specific PrivDog versions.”
Some security researchers have described PrivDog as being worse than Superfish mainly because of links to the security firm Comodo, which issues security certificates used by a third of the world’s websites.
“Both Superfish and PrivDog ship with software from Comodo, which is key to inserting the backdoor in the browser. Comodo is also an Internet Certificate Authority, which users rely on to validate certificates from internet sites,” said Crosby.
He accused Comodo of abusing its position as a Certificate Authority by nullifying secure communications over the internet.
PrivDog was developed by Comodo founder Melih Abdulhayogulu, and some versions of it are packaged with Comodo's own software, but Comodo told the BBC that the affected versions of PrivDog "had never been distributed" by it.
And in a blog post written in January 2014, Abdulhayogulu said he had developed PrivDog "with the privacy of the user in mind".
But PrivDog is among more than a dozen examples of software that have been found to compromise SSL since the fault was identified in Superfish in mid-February.
Most of the offending software, including anti-malware software and parental controls, has been linked to Israeli startup Komodia, which produces software for other companies.
The Komodia framework, known as SSL Decoder, is believed to enable SSL hijacking, but Komodia has declined to comment on the allegations by security researchers, according to The Guardian.
In an email to The Associated Press, Superfish said its software was safe, but that the security flaw had been introduced unintentionally by Komodia.
This means any company or software using the same Komodia code as Superfish could be affected by the same security vulnerabilities as Superfish.
Lenovo pre-installed Superfish on some of its computers to help consumers find products by visually analysing images on the web to find the cheapest ones.
However, security researchers found that it compromises SSL by intercepting connections and issuing fake website certificates that could expose users to man-in-the-middle attacks.
Lenovo has since released a tool to enable customers to remove the software and fake certificates from their computers and is facing a lawsuit in a class action that claims Lenovo violated privacy laws.
Read more about security risks of adware
- Some Android applications contain adware that often exposes users’ personal information, according to researchers.
- Lenovo’s choice to pre-install Superfish adware on its computers introduces a security vulnerability.
- A class action lawsuit has been filed against Lenovo after it emerged the company pre-installed adware that made customers vulnerable to man-in-the-middle attacks.
In its latest attempt to assure customers, Lenovo has issued an open letter by chief technology officer Peter Hortensius detailing the action taken by the company to address the security risk of Superfish.
He said that as soon as reports of the security risk emerged, Lenovo had taken steps to remove Superfish from all Lenovo computers.
“Clearly this issue has caused concern among our customers, partners and those who care about Lenovo, our industry and technology in general. For this, I would like to again apologise,” he said.
The open letter said Lenovo has stopped the pre-loads and will not include this Superfish software in any devices in the future.
Lenovo has also worked with partners to make its PCs safe from this vulnerability, the letter said, and provided a manual fix on 19 February and an automated removal tool the following day
“Our partners, Microsoft, McAfee and Symantec updated their software to automatically disable and remove this Superfish software. This means users with any of these products active will be automatically protected. We thank them for their quick response,” said Hortensius.
“Together, these actions mean all new products already in inventory will be protected. Shortly after the system is first powered-on the anti-virus program will initiate a scan and then remove Superfish from the system. For systems which are re-imaged from the backup partition on the HDD, Superfish will also be removed in the same manner. For products already in use, Superfish will be removed when their anti-virus programs update,” the letter said.
Hortensius said Lenovo is developing a plan to address software vulnerabilities and security with defined actions that will be made public by the end of February.
He said Lenovo is exploring a range of options, including creating a cleaner set of software for its PCs and working directly with users, privacy/security experts and others to create the right preload strategy.
“We are determined to make this situation better, deliver safer and more secure products and help our industry address – and prevent – the kind of vulnerabilities that were exposed in the last week,” he said.