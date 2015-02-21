(Adds statement from Lenovo; corrects spelling of Komodia CEO's
name)
By Jim Finkle
BOSTON Feb 20 The U.S. government on Friday
advised Lenovo Group Ltd customers to remove
"Superfish," a program pre-installed on some Lenovo laptops,
saying it makes users vulnerable to cyberattacks.
The Department of Homeland Security said in an alert that
the program makes users vulnerable to a type of cyberattack
known as SSL spoofing, in which remote attackers can read
encrypted web traffic, redirect traffic from official websites
to spoofs, and perform other attacks.
"Systems that came with the software already installed will
continue to be vulnerable until corrective actions have been
taken," the agency said.
Adi Pinhas, chief executive of Palo Alto, California-based
Superfish, said in a statement that his company's software helps
users achieve more relevant search results based on images of
products viewed. He said the vulnerability was "inadvertently"
introduced by Israel-based Komodia, which built the application
described in the government notice.
Komodia CEO Barak Weichselbaum declined comment on the
vulnerability.
Lenovo apologized late on Friday in a statement for "causing
these concerns among our users" and said that it was "exploring
every action we can" to address the issues around Superfish,
including offering tools to remove the software and certificate.
"We ordered Superfish pre-loads to stop and had server
connections shut down in January based on user complaints about
the experience. However, we did not know about this potential
security vulnerability until yesterday (Thursday)," the Lenovo
statement said.
"We recognize that this was our miss, and we will do better
in the future. Now we are focused on fixing it," the company
said.
Komodia's website says it produces a "hijacker" that allows
users to view data encrypted with SSL technology.
"The hijacker uses Komodia's redirector platform to allow
you easy access to the data and the ability to modify, redirect,
block, and record the data without triggering the target
browser's certification warning," according to the site.
Marc Rogers, a researcher with CloudFlare, said that means
companies which deploy Komodia technology can snoop on web
traffic.
"These guys can do everything from just collect a little bit
of marketing information, all the way to building a profile on
you and spying on your banking connections," he said. "It's a
very dangerous slope."
Rogers said that use of Komodia's technology in other
products makes them vulnerable to the same types of attacks as
Lenovo's Superfish.
He said other vulnerable products include two parental
filters: One from Komodia known as KeepMyFamilySecure and
another from Qustodio.
Komodia's Weichselbaum said his company was investigating
reports of vulnerabilities in KeepMyFamilySecure.
Qustodio CEO Eduardo Cruz Chief Executive said his company's
Windows parental filter was vulnerable and he hoped to push out
a fix within a few days.
Lenovo did not disclose how many machines were affected, but
said that only machines shipped from September to December of
last year had been pre-loaded with the vulnerable software.
Affected Lenovo products include laptops in its Yoga, Flex
and MiiX lines as well as its E, G, U, Y and Z series, according
to the company's support website. (lnv.gy/1LiWKX2)
(Additional reporting by Paul Carsten in Beijing; Editing by
Chris Reese and David Gregorio)