Last month, we came to know that Lenovo consumer laptops sold between September 2014 and February 2015 had Superfish pre-installed which exposes a machine to man-in-the-middle (MiTM) attacks because of a security vulnerability involving a self-signed root certificate used by Superfish. Microsoft and Lenovo worked together to control the situation through their MAPP and VIA partner programs. Superfish used a framework called Komodia to install a network driver that acts as a MiTM to decrypt and modify network data to include extra ads.
Usually, HTTPS browser sessions are protected against man-in-the-middle attacks, however Superfish is able to intercept and modify secure browser sessions by:
- Installing an unconstrained self-signed root certificate on the local machine.
- Embedding a private key in Superfish to re-sign HTTPS content with their added root certificate after modification.
From a user’s perspective, the secure HTTPS connections appear to be valid. However, the modified web content is signed by Superfish instead of a legitimate certificate authority. The images below show what the user could see with a Superfish certificate installed when examining the connection to a secure server in Internet Explorer.
Through Komodia, Superfish installs the same public root certificate for each install and embeds a private key to re-sign content on-the-fly. This also means the corresponding private key that is used to sign the content is publicly known for all affected users. This has several important security implications and is being tracked under the vulnerability identifier CVE-2015-2077.
This issue extends beyond Superfish, and also applies to other applications that use the Komodia framework to intercept SSL/TLS traffic. Additionally, applications using similar SSL/TLS interception methods have also been found to be vulnerable to this and similar trust-related vulnerabilities.
Read more about it here.