back to article Lenovo to customers: We only just found out about this Superfish vuln – remove it NOW

A bruised Lenovo has finally released a removal tool for the Superfish vuln that hijacks web browsers to inject ads into pages. It comes after the Chinese PC maker spent the past few days attempting to make the bad news about the badware go away, with the claim that it had "stopped preloads [of the Superfish software] …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Orange Alert!

    "We learned about the potential threat yesterday and since then we have been working with Lenovo and Microsoft to create an industry patch to resolve the threat."

    Which threat? The security threat, or the threat to their bottom line?

    1. Mad Chaz

      Re: Orange Alert!

      "Which threat? The security threat, or the threat to their bottom line?"

      I think it's the threat to the PR director's job that got them moving.

      1. JLV

        Re: Orange Alert!

        Upvoted you, but you got that slightly wrong. The PR dudette is gonna be very very busy repairing the mess. Not the time to fire her while there is such a big mess that she had nothing to do with.

        The threat is probably to whatever C-level idiot gave the green flag to essentially hacking users' net connections in order to serve up ads. Which is reprehensible enough on its own. And incidentally doing so in a high insecure fashion.

        Not sure whose department this fiasco would be initiated under. I guess whatever department is traditionally tasked with inflicting bloatware onto customers. This is going to be an expensive mistake for likely little gain.

        MS should take note as well. This is not their fault, true, but they also provide no means for users to do a clean-slate, non-manufacturer bloat, install of Windows. By that I mean provide essentially the same disks/downloads as if you walked into a store and bought Windows off the shelf. Not their fault, but it leaves you with the same question: can you trust your brand-new PC? No, not entirely.

        We should get a valid, go-to-MS-when-needed, OEM license for Windows, not just some bloated manufacturer install. I for one have no idea what happens if I re-format my Asus laptop. I assume I can re-install Windows somehow from their recovery partition, but I won't know that unless I try it. I know how to rebuild with a Windows install disk and I would much prefer to be in that position with my Asus.

        So people rightly worried at this could either pay the Windows tax twice to get a clean disk, buy a Mac or use Linux. Letting aside that Apple may or may not do this Lenovo-style crap, which I doubt, but at least you can get clean-install-capable OS images from them.

        Lenovo really sh*t in their own nest, as well as the PC ecosystem in general on this one.

        1. jason 7

          Re: Orange Alert!

          If you use the recovery partition then 99 times out 100 you get all the bloatware re-installed.

          Nothing like having a laptop freshly installed with mouldy 3+ year old installs of Adobe Acrobat/Flash/Java/Skype/Wild Tangent Games/Oberon Media/OoVoo/Ebay links/Cyberlink DVD player/McAfee/Nero Express/Norton Backup/Power2Go/Bing Bar/Google Tool Bar etc. etc.

          Mmmm smooth!

          1. Anonymous Coward
            Anonymous Coward

            Re: Orange Alert!

            LOL, good one, at least we can get a laugh about this very pathetic story. Just like when Microsoft told me they can't send me a recovery media of windows 8.1 because I've bought windows 8 and 8.1 is an upgrade, not an update. My kids are already using Linux , windows 8 is too complicated to re-install.

            It's just too bad that it's so complicated to find something not made in China anymore...

            1. Steve78

              Re: Orange Alert!

              You can download the Windows 8.1 directly from Microsoft.

              http://windows.microsoft.com/en-GB/windows-8/create-reset-refresh-media

        2. regadpellagru

          Re: Orange Alert!

          "MS should take note as well. This is not their fault, true, but they also provide no means for users to do a clean-slate, non-manufacturer bloat, install of Windows. By that I mean provide essentially the same disks/downloads as if you walked into a store and bought Windows off the shelf. Not their fault, but it leaves you with the same question: can you trust your brand-new PC? No, not entirely.

          We should get a valid, go-to-MS-when-needed, OEM license for Windows, not just some bloated manufacturer install. I for one have no idea what happens if I re-format my Asus laptop. I assume I can re-install Windows somehow from their recovery partition, but I won't know that unless I try it. I know how to rebuild with a Windows install disk and I would much prefer to be in that position with my Asus."

          That's actually a very good point. I've always been very worried of seeing people around me *never* get an MS install disk, and being served the usual "recovery partition" pitch by whatever sales droid.

          Now I know why: the OS sold is not the one from MS, but from the vendor, who definitely has incentives to put crapware in it, unlike MS.

          Creepy.

          1. P. Lee

            Re: Orange Alert!

            >MS should take note as well. This is not their fault,

            Oh yes it is MS' fault. They are seeding the market with cheap Windows but trying to preserve the high cost of retail/business Windows by allowing OEMs to devalue OEM-Windows by bundling rubbish into the install.

            They could protect their IP by only allowing HW drivers to be included in an OEM Windows installation. "Helpful additional software" to be provided as an option afterwards.

            MS could also provide clean easily accessible Windows images for DVD & USB installation.

            1. fajensen

              Re: Orange Alert!

              And MS could make "Applocker" available, scriptable, and Easy To Use on ALL it's products, even the consumer versions. That would help a great deal to prevent the next infection with Snap.Do - and all other dreck signed by "ReSoft Ltd". Of course nuking the ReSoft site would also work.

            2. Tom 13

              Re: allowing OEMs to devalue OEM-Windows by bundling rubbish

              Whether or not the OEM install devalues the install is entirely up to the OEM.

              Granted in the current incarnation of Windows, it's a bit hard to get the drivers wrong. But that hasn't always been the case. I recall plenty of builds requiring me to hit F4 at just the right point to add a third party driver or the OS install would fail.

              I even recall one particularly odious problem where a new motherboard wouldn't accept a reliable, known working device after we upgraded a MB. Apparently Intel made a change to the ATA channel and it wasn't backward compatible. Spent three days working on that one before our chief tech called the device vendor and found there was a driver problem they weren't planning to fix. For those situations the OEM build is preferable. The device was actually pretty handy. It was a CD jukebox that would let you load 5 CDs and access any one of them. Had to replace it with a SCSI controller and device that cost the client almost as much as they originally paid for the PC. Took a serious loss on that one because we obviously couldn't charge them for 3 days of tech time.

        3. pompurin

          Re: Orange Alert!

          I've bought two Medion Laptops (made famous by Aldi) direct online and they had an excellent way of recovering. They use a secondary partition like most manufacturers do, but they had a list of driver folders from 01 to 13 in the order you were expected to install. Within ten minutes of a fresh install I had all the drivers installed and solved all of the usual issues I have with Windows like Wifi, Blueetooth, SD Card readers, Laptop hotkeys. Not a bit of bloatware in sight. That's nice.

        4. Micha

          Re: Orange Alert!

          You can download Microsoft Windows ISO's for free. Just make sure you have your product key! And that you verify the MS-published checksums to ensure you really did get the MS ISO without any crapware.

          Took seconds to find this link; I'm sure there's ISO's for non-Ultimate versions as well..

          http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/where-can-i-download-windows-7-iso-i-have-a/7d964b05-2be9-4800-bc7f-3ca30356fc3d

    2. Fatman
      Linux

      Re: Orange Alert!

      NOOOOOOO!!!!!

      It is BROWN STUFF alert (as in the substance hitting the fan).

      This incident only makes it clear that any IT department worth its salt would:

      1) wipe the OEM preload with their own image, or

      2) nuke the goddamn thing from orbit and put Linux on it - a better (IMHO) solution, assuming that one isn't LOCKED into the WindblowZE platform.

      1. Blitterbug
        Facepalm

        Re: WindblowZE

        Seriously? This, still?

    3. Tom 13

      Re: Orange Alert!

      I can definitively say the answer to that question is 'Yes!'

  2. John H Woods Silver badge

    "Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party"

    Errr ... no. That vulnerability is the entire purpose of the software produced by that third party ... and you were paid by that third party for including that software.

    1. Richard 12 Silver badge

      Correction

      Superfish were the party in question.

      Unless they outsourced their entire product, in which case, they are not only evil, but stupid as well.

      1. Doctor Syntax Silver badge

        Re: Correction

        "Superfish were the party in question"

        The quote about a 3rd party seems to have been from a statement by Superfish. It turns out that the SSL interception stuff they used came from Komodia. It looks, then as if the 3rd party they're trying to point the finger at is Komodia. So are they claiming they didn't know the implications of the stuff they bought in from Komodia?

        1. Japhy Ryder

          Re: Correction

          Komodia are very explicit on their website about what their stuff is, what it does and how it does it. To whit:

          "Our advanced SSL hijacker SDK is a brand new technology that allows you to access data that was encrypted using SSL and perform on the fly SSL decryption. The hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning."

          That is right in the middle of the home page. I don't really see how you could miss it unless you wanted to.

          Komodia now say their website has been DDoSed offline following the media attention, but you can see how it used to be on the Internet Archive.

    2. JLV

      which begs the question of who else is on Superfish's payroll. Is it just Lenovo? I mean, it would hardly be a good business model for Superfish if they were entirely dependent on Lenovo.

      1. Mark 85

        Valid question.. for which there doesn't seem to be an answer. I've checked the two PC's and one laptop in our household and they are clean (of this beast, at least). None are Lenovos. But not only Superfish, what else is out there that we haven't heard about?

        1. P. Lee
          Big Brother

          >who else is on Superfish's payroll

          Cue software name change in 3, 2, 1...

          It also highlights the power of having a root cert installed.

          Sure you can audit the list, but do you really trust all those CA's?

          1. Tom 13

            Re: Sure you can audit the list, but do you really trust all those CA's?

            Snarky answer:

            No. Truth be told, I don't even really trust the ones I have to.

            More truthful answer:

            No. But it's such a PITA keeping track of who is trustworthy and who isn't that I mostly accept the defaults. The good news is the desktop I rolled myself, so minimal exposure there. But it's really hard to roll your own laptop, even if you're in the biz. And cleaning out the crap is nearly impossible.

  3. Michael Thibault

    Two heads are better than one

    Both Lenovo and Superfish owe, big time--at least one apiece. Nobody wearing a red shirt, though. Unless it's silk.

  4. x 7

    1) "It added that it was working with Microsoft and McAfee to help the firm kill or, at least, quarantine the crapware." Well, that will be the first time McAfee removes crapware: most of it McAfee doesn't touch

    2) Assuming its a Windows 8 machine, then using F8 at startup and doing a "system refresh" should give you a clean install - sans crapware and drivers. You should then be able to install those one by one as desired from the on-disk repository

    1. Blitterbug
      Unhappy

      Re: a "system refresh" should give you a clean install - sans crapware

      Mmm... not in my experience, sadly. Plus good luck with F8-ing Win8 while booting. I believe that's disabled by default, which is why I carry around a 16GB Win8 recovery USB I made from my own laptop for dealing with nerfed systems. All the crap always seems to come back, but at least the recovery USB has always worked, on any make and model of Win8 machine.

  5. Anonymous Coward
    Anonymous Coward

    "Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party."

    That's bollocks.

  6. x 7

    Just checked the Superfish website - looks like they are keeping their heads down. Last press release was 11th Feb http://www.home.superfish.com/#!news/c1w2u

    Someone asked who else used Superfish - this gives an idea (http://www.xenia.co.il/Superfish)

    "Superfish sells its search capabilities to several major customers in the eCommerce space; in Q10 Superfish launched its consumer application, a browser add-on that uses visual search technology to help consumers find deals and other visually-similar items instantly while shopping. The product works on almost any product and on hundreds of shopping sites including Amazon.com, Best Buy, eBay, Macy's, and Overstock.com. Current index covers over 60 million products".

    Meanwhile http://trends.builtwith.com/websitelist/SuperFish reckons there are currently "2,881,734 active sites using SuperFish" - you can buy a list of them there if you want

    1. Robert Helpmann??
      Coat

      Not limited in...

      Meanwhile http://trends.builtwith.com/websitelist/SuperFish reckons there are currently "2,881,734 active sites using SuperFish"

      So what you are saying is that their efforts scale well? Mine's the one with the fake cert in the pocket.

  7. x 7

    this forbes article is worth a read

    http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/

    turns out that the CEO of Superfish has quite a long history in the surveillance industry

    to quote

    "Pinhas, the co-founder, has an interesting history, especially from a privacy perspective. According to his LinkedIn profile, in 1999 he co-founded a company called Vigilant Technology, which “invented digital video recording for the surveillance market”. That company is still thriving today, boasting contracts with a diverse range of big-name clients, including the US military’s White Sands Missile Range, Paradise Casinos in California and Arizona, and a number of Israeli government organisations.

    "Prior to that, former Tel Aviv resident Pinhas worked at Verint, an intelligence company with a tumultuous history, where he carried out “signal processing research” in which he’d recognise and analyse anything going over a telephone line. Verint was founded by members of the elite military intelligence agency Unit 8200. It was featured in a Wired article in 2012, in which it was alleged Verint tapped Verizon’s communications lines and was supposedly working with the National Security Agency in doing so. Just a year later, Edward Snowden would reveal Verizon had let the NSA tap all customers’ communications. One wonders if Pinhas was ever involved in those shady operations. Did that lead to his move to the West Coast?"

    and theres more, which I won't copy for fear of copyright problems

  8. A Ghost
    Holmes

    Another list to add to

    So we can add being disingenous and non-contrite to the list as well. Great.

    This is one company I know where I stand with.

    I'm the kind of person that has 'brand loyalty' if such a person exists. Sure we all go for the best deal and what suits us at the time, but all things being equal if I have had good products that have lasted or products that have broke and been fixed, then I'll go with that.

    I had several Toshiba products for example, starting off with my first ever boy's own BoomBox. Great little (or not so little) thing that was. My romance with Toshiba had begun! Culminating several years later in a fantastic little Tecra laptop. Everything inbetween if I could, I bought Toshiba. But then, let's just say I had a very bad experience with them and a newer laptop that died on me. I was pointed to a shop on Tottenham Court Rd. to get it fixed where they tried to gouge me and tried to withold the hard drive in ransom for an extortionate payment. That didn't work out too well for them. I can't even remember now if they were an official 'repair' shop or something like that for them - I think they were, but don't quote me on that. Suffice to say it did not leverage my immersive experience as a most valued customer, with 'brand loyalty'. I swore I'd never buy Toshiba again. And I haven't. And I won't. When the trust is gone it's gone. For good.

    This was at a time where it was extremely expensive to back your stuff up. Back up writers cost as much as the laptop itself, often more for good ones. Cue iomega. I had three drives fail on me in a row. They just flat out refused to issue a fourth one saying 'that's yer lot - no more!' But, but, but... I spluttered. Needless to say another company I refused to look at again.

    But, looking back with hindsight and having calmed down a bit about it all (you can see I've still not got quite over it ;-)), that was a different age. They were working and trialing and finessing the technology and of course things were bound to go wrong. These things happen.

    And now here we are today, in what should be the Golden Era of Technology. Pretty much all that stuff has now been worked out and failure rates are as low as they are ever likely to be in our lifetimes. Companies know from experience what sort of level of customer support is expected and what they can get away with giving, and on the whole, hardware wise, most of us are happy campers. And they have to go and spoil it all by pissing in our nice shiny new toybox! The bastards.

    People said the early days of the internet/web were like the wild west. But I don't think it's half as bad as it's got now. At least then there was some kind of egalitarian dream. That this kind of technology was going to level the playing field, and for once in the favour of the end user and common man. God, I sound like Hunter S Thompson, eulogizing about high water marks and where if you stood in the right place at the right time, there was a sense that we were WINNING.

    I've run out of steam writing my mediocre comedy sketches with the mythical Carl and Donna. I'm not sure how much more comedy value is left in this now. I was going to post earlier, but I was only going to say what others have said, and I truly feared for my sanity or comprehension of the facts. Another WTF moment to surpass all others, where being data raped is either flat out obfuscated to be something 'good' for you, or flat out denied that it never happened in the first place. Well, ok, it did happen, but the people in charge, those responsible and culpable knew nothing about it.

    When I was a paper boy (I was never a paper boy - I was a lazy little sod - still am) if I had told Mr. Gupta at the corner shop that the reason all his newspapers were not delivered and found in a local skip, was that a big boy had nicked them off me and run away, he might have believed me the once. But again and again and again? How many more times would I have got away with it? But it's one rule for multi national corporations and another for lazy little paperboys.

    I won't be buying Samsung again either, another company I had brand loyalty to. Over. I'm not going to bore you further - if you made it this far you deserve a medal. Btw it you type 'Lenovo' into google, this article is third on the list.

    1. LaeMing
      Thumb Up

      Re: Another list to add to

      Yes, brand loyalty is a two-sided coin: "There is no wrath like that of a zealot betrayed."

      (Not accusing you of zealotry, that is just the way the saying is traditionally worded.)

      - A former indi-dev on Apple's platforms (don't get me started!)

      1. A Ghost

        Re: Another list to add to

        No you're quite right. I was a zealot.

        At least I was zealous about finishing university that year and backing my stuff up. The Toshiba blowing up (there was a class action against them in fact for this particular model, but in the U.S) was bad enough, but the iomega debacle added insult to injury.

        In hindsight, I think it was probably just good old fashioned bitterness and spite more than anything pertaining to some kind of misguided utopian ideal, that drove me on.

  9. Little Mouse

    Quarantine

    We can all do our bit to help "quarantine the crapware - by making sure Lenovo laptops never leave Lenovo warehouses.

  10. bob, mon!

    lenovo and market pressure

    I'll consider replacing my current workstation-grade laptop with a Lenovo - IF they clean up their act, and keep the crapware off and the build quality up. The commercial-grade thinkpads have been sinking, but are still pretty good. And I'll do a fresh OS install anyway.

    Sadly, I don't believe that *any* of the vendors are lily-white in this market. If one of them gets burned enough to clean up their act, that'll have to be good enough when it comes to the next sale.

    1. GregC

      Re: lenovo and market pressure

      I'll offer a vendor that may or may not be lily white, but did almost* everything right when I bought a laptop from them in the middle of last year - PC Specialist.

      No crapware installed? Check. I had options of having antivirus and Office trials installed, but the important thing is they were options - I chose "No antivirus" and "No office software", and sure enough there wasn't any. And there was nothing else, either.

      Choice of OS? Check. Win 8 or 7, or no OS at all if that's your preference. They could get a bonus point by offering a Linux, but then which one?

      Proper, old fashioned, install media? Check. Vanilla Win7 DVD in the box.

      Extra little touches - how would you like your HDD partitioned for example. Just saved me a little job, cool.

      Basically they delivered the machine I wanted, ready to go, complete with reinstall media should I need it. And no crapware. Price? Reasonable for the spec I wanted. I would recommend them to anyone who's not in a huge rush (see *note...)

      *My only real problem was with the build/delivery time - what was "estimated" at the time I ordered it was 7-10 working days, and it was nearer 14. Doing my research before ordering, this was a fairly common theme, but also the only major complaint I found and I wasn't in that much of a hurry. That said when I rang them to see what was going on I spoke to a bloke in Leeds, who went to the production area, found my order, and told me what to expect. That works for me.

      Reading this back it sounds like an ad. It's not, I'm just a satisfied customer. Whether the model of basically making decent machines for a sensible price, without installing crap, is sustainable we'll see I guess...

      1. Tom 13

        Re: It's not, I'm just a satisfied customer.

        That's actually the absolute BEST ad a company can have.

        Many CEOs would be well served to remember that.

        I've worked in IT repair for more than 15 years now. I'm not a sales guy, but I sold a fair bit of kit in my day. I could sell it because it was always an honest technical solution to the problem, not what I was pushing that day because of a SPIF.

  11. x 7

    more from Forbes

    first from that earlier link

    "As security expert Matt Suiche pointed out to me on Twitter, the password used to get the encryption key for the Superfish certificate authority (you can find more details on that in my previous article here) is “Komodia”. There’s a company called Komodia, which also does ad injection and “global proxy interception” – some very aggressive techniques. According to the company’s website (which is currently down because of an attack on the site), the founder, Barak Weichselbaum, was also part of the surveillance industrial complex in Israel, having carried out “military service as a programmer in the IDF’s Intelligence Core”. Komodia offers one service called SSL Digestor that carries out ad injects and effectively breaks encryption, just as Superfish was doing on Lenovo PCs.Suiche and Robert Graham of Errata Security are convinced that product was used by Superfish in the Lenovo case.

    So ex-surveillance agents, operating in both the private and public spheres, have ostensibly combined their powers to force ads onto people’s computers, leaving web users open to other forms of attack. That’s startling and frightening for anyone who cares about privacy or security."

    and from http://www.forbes.com/sites/thomasbrewster/2015/02/20/komodia-lenovo-superfish-ddos/

    "It’s becoming apparent that the Lenovo Superfish omnishambles affects far more people than initially thought. Whilst it’s likely millions of PCs have Superfish running on their systems, intercepting their traffic, throwing adware on their computers and leaving users in danger of being hacked, many more will be running the technology believed to underpin the Superfish ad injection service.

    The company behind that highly intrusive technology, known as SSL Digestor, is called Komodia. But anyone who wants to learn more about what it does won’t find out anything by visiting komodia.com today (which, ironically, doesn’t run over encrypted HTTPS connections). That’s because those visiting the site will find a brief, startling claim: it’s been hit with a Distributed Denial of Service (DDoS) attack due to “recent media attention”.

    What’s confusing here is that DDoS attacks usually swamp a server with traffic and take it offline, making the site completely inaccessible. But it’s still possible to reach komodia.com. Is the company simply claiming DDoS and hiding? That’s unlikely. Darren Anstee, from DDoS expert Arbor Networks, said that sometimes, when sites are under attack, the organisations running them move to using a more simplified page to reduce the load on the server. This might see a site’s graphic content removed or reduced.

    In a brief email conversation with Barak Weichselbaum, Komodia’s founder who was once a programmer in Israel’s IDF’s Intelligence Core, he said the company was not hiding behind DDoS claims and that the attack was real. “We had to decide if we focus on it, or on other things, we are busy as you can imagine. I saw on forums people say we’re hiding, the site can be seen from the internet archive, so no point trying to hide anything. Regarding the Lenovo Superfish story I’m unable to comment because of contractual reasons,” he told Forbes.

    He said the DDoS saw reams of requests hit the HTTP server, which made the PHP backend code processes “consume all the CPU”. “The static page doesn’t consume CPU with the level of this attack.” He hadn’t responded to further questions on the security implications of his technology.

    "Why is Komodia now getting so much attention anyway? Because its hugely intrusive and poorly protected technology is found in many places on the web, according to Marc Rogers, principal security researcher at content delivery network CloudFlare. The technology can be found in various parental control software, including those made by Qustodio and the Israeli firm’s own “Keep My Family Secure” product, and in web filter products across the world. On Weichselbaum’s LinkedIn page, he says: “My biggest vision is to create a world where children can surf the internet safely, and I’m working to see this vision realized.”

    Worryingly, it’s very easy to extract and use the encryption key run by Komodia, largely because the password to access all different versions of the certificate is “komodia”. That means malicious hackers can craft their own SSL certificates, which are supposed to guarantee trust, with the Komodia key. They can then intercept people’s internet connections, create fake versions of certain websites and steal their data, as long as targets’ computers trust the Komodia certificates.

    “This means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected,” said Rogers.

    “This problem is much bigger than we thought it was.”

  12. x 7

    cert advisory re Komodia

    cert advisory re Komodia is at http://www.kb.cert.org/vuls/id/529496

    Also lists the following products as affected

    Atom Security, Inc

    Infoweise

    KeepMyFamilySecure

    Komodia

    Kurupira

    Lavasoft

    Lenovo

    Qustodio

    Superfish

    Websecure Ltd

    may well be others

    this guy managed to get shots of the Komodia website before it went offline

    http://borncity.com/win/2015/02/20/komodia-ssl-certificates-and-hijacking-tech-are-widely-spread/

    you can see from there how it works

    1. Solmyr ibn Wali Barad

      Re: cert advisory re Komodia

      Lavasoft? Holy crap.

      Alas, seems to be true. Besides their usual ad-removal tools they have this Web Companion thingamabob, where Komodia served as an SSL analysis tool. Neat. And as a cherry on the pie, there's a fuss with Comodo certs too.

      arstechnica.com/security/2015/02/security-software-found-using-superfish-style-code-as-attacks-get-simpler/

      Lavasoft has said that they have removed Komodia. Not sure what'll happen with Comodo.

      1. Roland6 Silver badge

        Re: cert advisory re Komodia

        This blog: https://gist.github.com/Wack0/17c56b77a90073be81d3 lists a few more parential control users of Komodia...

        What is notable at the moment is that no similar self-signed CA certificates have been discovered. However, because closing the door on self-signed certificates, is going to be practically impossible, we can expect this attack vector to be used in the future...

        1. Solmyr ibn Wali Barad
          Trollface

          Re: cert advisory re Komodia

          Thanks for the link. Especially loved the mention of ring0 rootkits.

          Now that is a worthy question, the most fundamental problem of modern IT - whose rootkit do you trust, in order to keep others out? Because not having a rootkit doesn't seem to be a valid option anymore. Most security products are using shady techniques, more like 50 shades, to give us a false and perverted sense of security.

          Fuckyouverymuch, purveyors of "safe computing experience". I'm going to build myself a stone abacus. Root THAT, suckers. We'll see how well you can handle a chisel.

          /rant off/

          1. Roland6 Silver badge

            Re: cert advisory re Komodia: Maxthon

            What I'm a little surprised about is how quiet the Maxthon crowd are: their browser fails both of the Superfish certificate tests, potentially due poor design...

  13. gnasher729 Silver badge

    Total destruction of security

    Someone will surely correct me if I got this wrong:

    If I ordered some stuff from Amazon using a Lenovo computer, entered my credit card number on their super secure https site, then this "Superfish" company would have been capable of reading my credit card number, even without the vulnerability?

    And with the vulnerability, if I ordered some stuff from Amazon using a Lenovo computer, entered my credit card number on their super secure https site, then any hacker could redirect the traffic to their site instead of Amazon, and produce a faked certificate that the Lenovo computer would accept without hesitation, with no indication to the user what is going on?

    That is absolutely unbelievable.

    1. Anonymous Coward
      Anonymous Coward

      Re: Total destruction of security

      "Someone will surely correct me if I got this wrong:"

      You are not being paranoid enough. Its not limited to Lenovo computers. Anyone using *any* of the affected products from Komodia is vulnerable.

      "That is absolutely unbelievable."

      If only.

      1. Nigel 11

        Re: Total destruction of security

        You are not being paranoid enough.

        Add, anyone using technology licensed from Komodia, openly or covertly.

        Add, anyone using the same technique, without having licensed it from Komodia, and without having disclosed what they are actually up to.

        The real lesson is that SSL is really, truly, deeply flawed, and that it's a case of "broken by design" rather than "broken by accident".

        1. Roland6 Silver badge

          Re: Total destruction of security

          @Nigel 11 - would of up voted, but you final sentence about SSL indicated that you don't understand that this isn't an SSL issue, it is a certificate handing and trust issue, which undermines much of the PKI security we've taken for granted.

  14. Innocent-Bystander*

    Dell Provides Clean USB Recovery Media (On Request)

    Although my (really good) experience was with Dell's premium support; when my optical drive-less Inspiron 7000 series laptop needed a new install (I threw out the spinner and installed an SSD in it), I just rang up their support line and they sent me:

    - A clean copy of Windows 8.1 OEM on a USB Key

    - a DVD with all the drivers

    - an external DVD combo drive

    All free, I didn't even have to pay shipping.

    So it's possible to get a clean copy of Windows, at least from Dell, I suspect other manufacturers will do it as well if you ask.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dell Provides Clean USB Recovery Media (On Request)

      Wish I had known that earlier.

      Lenovo UK seem to be losing the plot.

      I ordered a laptop a few months back for a user. They started to get annoying MS 'this is not genuine windows' messages. I called up the hotline. The message I got was you have to upgrade this to Win 8 - it will then pick up the licence key and then you can downgrade back to win 7.

      To avoid disrupting the user I ordered another laptop, called the support line and was told yes I had to do the same thing for this laptop. So I did - without any success. 3 different support people told me 3 different things ( one was actually quite rude). The problem lay with the Win 8 licence it seemed. I called Microsoft - no luck they told be to get back to the reseller - which I did.

      They then got Lenovo to ship me some Win 7 Pro disks. I've been waiting over 2 weeks for this. Several calls and emails to both reseller and Lenovo were not fruitful. The sales folks at Lenovo have not returned my calls.

      2 MONTHS after I ordered the 2nd laptop I have ended up with 2 unvalidated laptops.

      I have now called another supplier and ordered a Dell laptop instead. The plan is to get this working and then send the 2 Lenovos back.

      We are now going to shift to either HP or Dell.

  15. Anonymous Coward
    Anonymous Coward

    Am I the only one…

    … who reads "Kommodia" and can't help but recognise how similar the name sounds to "Commode"?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like