The harmful code recently found on Lenovo machines is now surfacing in other apps

J

Justin Kahn

Posts: 752   +6

ssl-busting lenovo

As we previously reported, Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code. The appearance of the potentially harmful software was not only shocking to many, but also prompted researchers to look around to see if the adware (or similar code) made it other places it shouldn’t have. 

Based on recent data, that appears to be the case with at least two other firms reported to have affected apps out in the wild. This dirty code, which was spotted by researcher Fillipo Valsorda, causes devices to accept any old, self-signed certificate from sites, obviously causing serious privacy/security issues in the process. Valsorda noted that code of this nature can be found on the Ad-aware Web Companion anti-virus/privacy software from a company known as Lavasoft and within another ad-focused privacy app called PrivDog from Comodo

Both occurrences expose users to the serious potential of man-in-the-middle attacks and leave personal data up for the taking, not to mention the negative affect it will have on both companies. Comodo is generally trusted on the internet with regard to certificate management, however that may not be the case for long.

While Lenovo has since admitted the issues surrounding the Superfish adware on its machines by offering it own removal tool, there is still no word from Lavasoft or Comodo on the latest findings. Microsoft has also updated Windows Defender so that it will detect and remove Superfish adware on its own.

Image via Shutterstock

Permalink to story.

https://www.techspot.com/news/59832-harmful-code-recently-found-lenovo-machines-now-surfacing.html

 
"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.
 
  • Like
Reactions: oldikes and cliffordcooley
Scshadow said:
"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.
Click to expand...

Superfish is bad enough, never mind letting other forms of self signing certificates reside in your OS. I've bought Lenovo for over 20 years now, and if I continue to do so, I'd format the drive (or install a new one) and do a clean install without any pre-loaded bloat.
 
The part of the story that really bothers me is the validity of Root and Intermediate Certificates. Apparently, the Komodio stuff is an open barn door for breaking HTTPS. This is bigger than Lenovo.

It appears that Microsoft can evaluate certificates and has taken steps to clear up the Superfish mess - but what about the others?!?!

Does anyone have a good 'white list'?
 
"Self signing certificates" itself is not all that bad. It is a legit practice used by many, such as Anti-virus software and other security software. The real issue here is that the certificates are not done properly by Komodia by using _same key_ on all computer systems. The makes malicious attack practical. It is an issue easy to overlook though because to discover the vulnerability, one essentially have to intentionally crack the encryption to know the key, as done by the "security analyst" in this case.
 
So, it is a good tool gone bad due to sloppy origination by folks who should know better and were thought to be trustworthy. Sounds like it still needs policing. Is there a 'white list'? Do any of the security software folks (Symantec, Trend Micro, AVG, etc) deal with this? I found this KB at Microsoft ( http://support.microsoft.com/kb/931125 ) and I believe it applies, but I would really like to hear from an expert.
 
OneSpeed said:
Scshadow said:
"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.
Click to expand...

Superfish is bad enough, never mind letting other forms of self signing certificates reside in your OS. I've bought Lenovo for over 20 years now, and if I continue to do so, I'd format the drive (or install a new one) and do a clean install without any pre-loaded bloat.
Click to expand...
You mean to say you've never done this before when buying any pre-built system? How strange. I thought it was a natural instinct for all us techie type folks to do a format and install a clean operating system before even unsealing the box the system comes shipped in. Not that you'd expect spyware to be pre installed by a reputable manufacturer, but at least to get rid of the tons of crapware & bloatware which is always a given.
 
Skidmarksdeluxe said:
OneSpeed said:
Scshadow said:
"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.
Click to expand...

Superfish is bad enough, never mind letting other forms of self signing certificates reside in your OS. I've bought Lenovo for over 20 years now, and if I continue to do so, I'd format the drive (or install a new one) and do a clean install without any pre-loaded bloat.
Click to expand...
You mean to say you've never done this before when buying any pre-built system? How strange. I thought it was a natural instinct for all us techie type folks to do a format and install a clean operating system before even unsealing the box the system comes shipped in. Not that you'd expect spyware to be pre installed by a reputable manufacturer, but at least to get rid of the tons of crapware & bloatware which is always a given.
Click to expand...
Since most of us are builders and we never buy pre-built systems, we may have overlooked that good advice to others. However, my guess is that if you are buying pre-built that you would be uncomfortable about wiping out your hard drive and choose instead to rely on your supposedly reputable OEM.
Public square pillory is the only redress and a good white list for trusted CAs is necessary.
 
Cycloid Torus said:
Since most of us are builders and we never buy pre-built systems, we may have overlooked that good advice to others. However, my guess is that if you are buying pre-built that you would be uncomfortable about wiping out your hard drive and choose instead to rely on your supposedly reputable OEM.
Public square pillory is the only redress and a good white list for trusted CAs is necessary.
Click to expand...
I agree most of us are builders but how many of us build laptops? My bad, I should been more clear in my post. :D
 
Buy wipe and clean install, getting hold of an ISO of windows is not hard, booting a DVD on a UEFI bios can be tricky though depending on the implementation.

Microsoft would not dare put this sort of stuff into vanilla windows as they would get screwed by lawsuits also it's bad business
 
bexwhitt said:
Buy wipe and clean install, getting hold of an ISO of windows is not hard, booting a DVD on a UEFI bios can be tricky though depending on the implementation.
Click to expand...
Why waste the DVD? I create a USB stick with rufus. Format GPT for UEFI bios and I believe anything windows 8 and newer should boot without disabling secure boot. I'm not familiar with how they are signed but I haven't needed to disable secure boot in awhile. The original iso stays in my collection on my external and the USB key gets reused for my next project.
 
Last edited:
You must log in or register to reply here.

Similar threads

midian182
Lenovo teams up with iFixit for its refreshed ThinkPads to boost repairability
Replies
5
Views
181
mbrowne5061
M
Daniel Sims
Facial recognition software discovered in college campus vending machines
Replies
14
Views
361
Gareeth
G
A
Intuitive Machines shares first images sent from space by its Nova-C lunar lander
Replies
1
Views
183
erickmendes
erickmendes

Latest posts

Back