Security software makers found to be using Superfish engine

By JC Torres/Updated: Feb. 25, 2015 1:24 pm EST

It seems like Superfish is still one hot fish even after Lenovo has admitted its lapses in addressing the rather eerie security situation. Discovery of Superfish and Komodia, the software company that makes it all possible, has led researchers to look for other traces of the software and the results they ran into are rather shocking. It's almost acceptable that adware would make use of something like Komodia, but for software that are designed to actually keep users safe from phishing and spoofing is almost unbelievable.

Komodia's software installs self-signed SSL certificates in order to make browsers trust any self-signed certificate that used the same key as the one installed by Komodia. Such a method was necessary to intercept packets coming through even secure channels like HTTPS. That, in itself, was already bad from a security standpoint, but the fact that the key is also easily discoverable makes it even worse. It leaves users wide open from man in the middle (MITM) attacks , with hackers masquerading as legitimate websites or servers.

Sadly, it turns out that not only adware makers utilized Komodia's software. Even anti-virus and anti-hacking software apparently used it, which is more than just ironic but also tragic. Lavasoft's free Ad-aware Web Companion was discovered to be using Komodia's software, though in a rather innocent way. Most AV software use self-signed certificates precisely to detect SSL injections and, therefore, break in attempts. Sadly, Lavasoft has chosen to go with an implementation that is known to be quite easily hacked.

It isn't alone, however. The standalone version of PrivDog, a similar kind of security software, is reported to be based on Komodia's engine. To add insult to injury, PrivDog is developed by Comodo, a company that is mostly trusted by the Internet for its certificate authority. The good news is that the vulnerability is only in the standalone version of PrivDog. The version that ships with the Comodo Internet Security bundle shows no traces of Komodia.

Neither company has reacted to these findings, but they are sure to at least take a PR hit for the revelation. While Comodo seems to have the technology or at least the know how to have a Komodia-free PrivDog, its reputation as a trusted certificate authority might very well be tarnished. On the other hand, if Lavasoft's software is intricately tied to Komodia, then it will have both have PR as well as technical problems to quickly address.

VIA: Ars Technica