Users have been complaining since September about the third-party program, called Superfish, which injects product recommendations into search results. But it only emerged Wednesday that the program also opens a serious security hole.
The program interferes with SSL-encrypted Web traffic by installing its own root certificate in the trusted certificate store used by browsers. It then uses it to generate SSL certificates for HTTPS-enabled websites when they are visited by users. This allows it to act as a man-in-the-middle proxy between users and those secure websites.
“I have a bunch of very embarrassed engineers on my staff right now,” Lenovo CTO Peter Hortensius said in an interview Thursday. “They missed this.”
Security experts discovered that the certificate’s private key can be recovered by reverse-engineering the software, enabling malicious hackers to launch man-in-the-middle attacks when users connect to public Wi-Fi hotspots or compromised networks. This was confirmed by Robert Graham, CTO of Errata Security, who managed to extract the private key.
The fact that Superfish has left users vulnerable to attack is unacceptable, Hortensius said. He said Lenovo wasn’t aware of the vulnerability until it was publicly disclosed.
The company is working to “make this right,” he said. It has already published instructions for how users can remove Superfish, and it will soon release a clean-up tool that will uninstall the program and delete the root certificate it created. The tool could be released as early as later today.
Lenovo is also investigating ways to deliver the tool as an automatic patch, possibly through partners such as Microsoft and McAfee, instead of relying on users to download it from its website. It’s also looking at how it might be able to remove the software from the “preload” of the affected laptops – the Windows deployment preloaded with drivers and software that’s stored on the hidden recovery partition and used for factory resets.
Rectifying this also means setting up mechanisms to ensure something like this doesn’t happen again, Hortensius said. “We’ll make sure to have a much more detailed understanding of programs that go on our preload and they will not go if we think they’re open to attack.”
In the meantime, Lenovo has been in contact with browser and antivirus vendors to discuss ways of fixing the issue.
Browser vendors will likely add the Superfish root certificate to their blacklists, which would prevent it from being trusted by browsers even if it’s not removed. However, there are other programs that use encryption, like VPN clients, that rely on the Windows certificate store to establish trust and to validate the certificates they receive. Those could be open to attack as well, if the Superfish certificate is not removed.
Initially, Firefox users were thought to be unaffected, because Firefox uses its own certificate root store rather than the one in Windows. However, the Electronic Frontier Foundation discovered 44,000 man-in-the-middle certificates signed by the same Superfish root certificate through its Decentralized SSL Observatory project, which collects data from Firefox browsers that have the HTTPS Everywhere extension installed.
“This either indicates that Superfish also injects its certificate into the Firefox root store, or that on a large number of occasions Firefox users have been clicking through certificate warnings caused by Superfish MITM attacks,” the EFF said in a blog post.
“At the end of the day, we messed up badly,” Hortensius said. “There is no other way to say it. We’re not trying to hide. We’re trying to do everything we can do to solve the problem for people and subsequently make sure this doesn’t happen again.”
According to Lenovo, the Superfish software was only installed on some consumer laptops sold through retail stores between September and January. The company stopped preloading the software after receiving negative feedback from users and asked Superfish to remotely disable the service for existing installations.
However, while this stopped the intrusive product recommendations, it did not remove the software or the root certificate it created. In fact, Lenovo confirmed that even if the software is uninstalled manually, the root certificate, and hence the vulnerability, is left behind. That’s why the company plans to release the separate clean-up tool.
Laptops that may have come preloaded with the Superfish software are in the company’s G Series, U Series, Y Series, Z Series, S Series, Flex Series, MIIX Series, YOGA Series and E Series.