More like this

Security

Reg comments
8

Cert-slurping security firms chop super-fishy features

Lavasoft, AdTrustMedia, add fuel to man-in-the-middle diddle

Security companies Lavasoft and AdTrustMedia, have been found using the SSL slurping certificate - or something very similar - made infamous by the Lenovo-Superfish debacle.

Lavasoft used the certificate in its web inspection software Ad-Aware Web Companion and the Alpha testing version of AdBlocker. The software was restricted to processing inbound traffic locally on a user machines.

The company removed the dangerous root certificate from a build released Wednesday. However unspecified traces of the SSL Digestor slurp machine built by Komodia remain.

“Although Lavasoft’s most recent release of Ad-Aware Web Companion removed this functionality and was not supposed to contain the SSL Digestor; it was determined that trace elements of the Komodia SSL Digestor were still present,” Lavasoft says in a statement.

Users were unimpressed, asking the company on its Facebook page whether Lavasoft knew what its developers are doing.

A fix has been released to mop up the debris and is being pushed out through an automatic update. Firefox users will have to re-install the software while Alpha users must manually check that the root certificate has been removed due to the unstable nature of the included uninstaller.

AdTrustMedia also released a fix for its PrivDog software that uses its own root certificate capable of playing into the hands of phishers due to an implementation error.

The software generates a root certificate and execute a man-in-the-middle proxy, replacing HTTPS certificates with its own, German system administrator Hanno Böck (@hanno) says.

An implementation flaw exists in a third-party library in versions 3.0.96.0 and 3.0.97.0 not bundled with other wares meaning browser warnings for websites with self-signed certificates were quashed.

“It will turn your browser into one that just accepts every HTTPS certificate out there, whether it's been signed by a certificate authority or not,” Böck says in preliminary analysis.

It affected a potential pool of 6294 US and 57,568 global users yet was somehow still a “minor intermittent defect” Comodo says in an advisory scribbled in 6 point font.

“The issue potentially affects a very limited number of websites,” it says.

“In some circumstances self-signed certificates do not trigger a browser warning but encryption is still provided to the end user, hence security via encryption remains intact. The potential issue is only present if a user visits a site that actually has a self-signed certificate.”

News of the threat first surfaced on the Hacker News aggregator after a user discovered their machine was open to tampering during a test of security bod Filippo Valsorda's Superfish utility.

The security threat was ironically spruiked to users during the installation process of Comodo's Internet Security wares.

The program was designed to replace malvertising with legitimate ads in what the company considered a win for users in that they are saved from compromise and advertisers since their revenue is protected Users should be cautious when installing any software including security offerings as each can sometimes drastically increase attack surfaces. ®

Sponsored: Global DDoS threat landscape report