Lenovo Quietly Deletes That Bit About 'No Security Concerns' To Superfish... While Superfish Says 'No Consumers Vulnerable'

from the own-it dept

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

Superfish has not been active on Lenovo laptops since December. We standby this Lenovo statement: http://news.lenovo.com/article_display.cfm?article_id=1929.



It is important to note: Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today. Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrongdoing on our end.

What does this mean? Well, this means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.



This problem is MUCH bigger than we thought it was.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Wednesday night, the security world blew up with the news (which had actually been out there for a while), that the adware/malware Superfish that Lenovo had been installing by default on many laptops included aandsecurity vulnerability by installing its own, self-signed root HTTPS certificate, and then basically mounting a man in the middle attack on-- and doing so with an easily hacked certificate, creating avulnerability for anyone owning one of those laptops. We were shocked at the tone-deafness of Lenovo's initial response , which didn't even name which laptops Superfish was installed on, and made this blatantly bullshit statement:However, within hours, Lenovo had quietly updated its statement to remove that line . The company is now also (finally) admitting which laptops were infected and put together a page about how to remove the software and the rogue certificate . That's, but Lenovo should at least apologize, which it has not done, and admit that it was completely full of shit in insisting that there was no security concern.Speaking of which, Superfish has remained remarkably quiet as well. At the time I write this, there is nothing about this on its website, and it's only given a ridiculously misleading statement to reporters:First of all, at the time it "stood by" the Lenovo statement, that statement was blatantly false in claiming that there were no security concerns. Similarly, it's simplythat Superfish is "completely transparent" because no one knew that it was inserting its own self-signed certificate and using it on every HTTPS connection. Furthermore, consumersFinally, there's Komodia. As Robert Graham discovered when he hacked the Superfish certificate, the password is "komodia" which just happens to be a company that sells a product for... creating these kinds of man in the middle attacks on HTTPS connections, mainly for parental spyware. The company is alsoon this stuff. Its website looks like it hasn't been updated recently. It has various blogs and a Facebook page , none of which appear to have been updated since 2013.However, as security researchers are discovering, Komodia's tool is being used in other crappy spyware/malware and always in the same terrible manner -- all using the password "komodia." As Marc Rogers notes:The software known to use Komodia are Komidia's own "Keep My Family Secure," Qustodio's parental control software and the Kurupira Webfiler -- all of which likely are very vulnerable thanks to this idiotic implementation.Lenovo, Superfish and Komodia all have done a piss poor job taking responsibility for the massive security vulnerability they created.

Filed Under: privacy, security, superfish, vulnerability

Companies: komodia, lenovo, superfish