The rest of the story: Komodia, Lenovo, and Superfish

It’s always a busy month in the field of security. This month has seen its share of ugly stories, including the growing amount of state tax fraud, massive bank heists, and another depressing breach of our personal privacy by a major business. Those stories are all big, but the one that really captivated the attention of our community has been the one about Lenovo and Superfish.

That story has all the requisite narrative pieces to be a big tale that riles the enthusiast: a large PC maker pushing crapware onto untold numbers of users, that crapware being adware afflicted with a major security flaw, and the players involved doubling down on a large dose of stupid. Add the spicy dash of conspiracy that this is covert government espionage to the mix, and I think we’re well on way to a Tom Clancy novel.

It’s not hard to lay some of the blame for this mess on the general decline of the broader PC industry. The PC market has long been one of low margins and low costs, and that’s still the case today. The need to find additional revenue sources has undoubtedly helped foster the rise of crapware. Of the major PC makers navigating the changing seas of this market, Lenovo has arguably done well for itself.

We saw some bang-up coverage of the Lenovo-Superfish story last week. Ars Technica has been solidly on top of it, and Geoff and Cyril here at TR have done a phenomenal job of detailing the saga, too. The passing of time has helped flesh out more of the details, and I figured now was a good time to sum everything up.

Superfish is an advertising company that developed a product called Visual Discovery. Visual Discovery takes a different approach to serving targeted ads. The software isn’t interested in keywords; instead, it processes the images of pages you visit in order to learn your interests. That capability can be implemented through something like a browser extension, but browser support would potentially limit the software’s reach. Another approach is to use a Layered Service Provider (LSP) or Windows Filtering Platform (WFP) injected into the stack of the OS. Such an approach enables support across any browser, but it does have one tiny downside: because SSL/TLS encryption is implemented within the browser, encrypted traffic passing through the filter would be obfuscated from Visual Discovery. What Superfish needed was not only a filter in the stack, but also a proxy that could negotiate the SSL/TLS encryption with the outside resource and the local browser.

Superfish apparently lacked either the skillset or the desire to build the necessary software to carry out a man-in-the-middle attack. So they went looking for an all-in-one solution to their problem. Komodia sells a development kit called an “SSL hijacker,” which implements the needed proxy functionality to enable the attack. To be fair, this sort of interception is a tool—and like all tools, it can be used for good or for ill. Many anti-virus solutions and host-intrusion-detection prevention systems use these filter drivers and proxy capabilities to identify malicious traffic before your system can process a malicious application’s payload. Of course, Superfish isn’t an anti-malware program. It’s an adware program, and it has no business being integrated into the TCP/IP stack.

As terrible as what I’ve already described is, the situation is only going to get worse. Over the course of a few days, security researchers have plumbed the depths of the Komodia engine and found numerous implementation problems. More concerning is the fact that this flawed engine is integrated into not just Superfish Visual Discovery, but also numerous other products. Komodia claims to have more than 100 clients using their product. The names of additional programs found to use the Komodia engine keeps growing. In short, Lenovo is just the tip of iceberg.

The Komodia engine’s poor security design includes blunders like:

  1. The root private key is identical on all machines.
  2. The root private key is password protected by a trivial word: komodia.
  3. The installed Komodia proxy is the one that negotiates with outside resources (like TR). It is willing to accept any symmetric encryption, including RC4 and DES. Those ciphers are far too old and weak to be used today.
  4. The Komodia proxy will also accept any certificate that has the domain name in the alternates field, and it will digitally sign that certificate with the private root certificate it has installed on the machine.

Jumping onto a public Wi-Fi hotspot and using a tool like PwnStar against a machine sporting one of these certificates would be devastating to the victim.

In other words, the entire Komodia engine is a hopelessly broken implementation of public key infrastructure.

So, what can you do about it?

  1. You can check if you’re impacted by one of the many Komodia engine products here.
  2. You can manually uninstall and check for Superfish Visual Discovery here.
  3. You can take off and nuke it from orbit. It’s the only way to be sure.
  4. Windows Defender has started cleaning up the Superfish Visual Discovery mess. We may see the other anti-malware vendors follow suit.
  5. Make sure to check and watch this CERT listing for known software beyond Visual Discovery that uses the Komodia engine.

Perhaps in some backhanded way, Lenovo has done us a favor. One wonders how much longer Komodia’s poorly built product would have escaped notice without their pursuit of profits at the expense of the end user. Thanks, Lenovo!

Comments closed
    • NeelyCam
    • 8 years ago

    Yeah, but it doesn’t come with Windows

    • Pwnstar
    • 8 years ago

    Heh.

    • Geonerd
    • 8 years ago

    Yikes! I have no less than 93 TRCAs on my computer. Some look legit, such as those that appear to involve on-line banking etc., but many others may as well be from Mars. None of the AV programs I have flag any issues, having so many unknowns does make me nervous.

    Can anyone suggest a reliable AV/Anti-Crapware application that will at least make a stab at identifying potentially unsafe Certs?

    Thanks.

    • VincentHanna
    • 8 years ago

    The article @ #4 about defender was interesting, beyond the superfish mess. That auto-disabling feature has been pissing me off for a long time now, and I never did quite buy the explanation furnished by MSFT entirely. OEM/anticompetitive whining certainly seems a lot more likely.

    • ET3D
    • 8 years ago

    Thanks for the article and test link. I’ll fish about my newish Lenovo laptop to see if I there’s a fish to be fried.

    Thankfully ThinkPad laptops were never infected with this, so at least at that level it’s possible to continue to trust Lenovo.

    • Shouefref
    • 8 years ago

    I will delete my profile at LinkedIn after they’ve decided to sell surf behaviour.
    I’ve already left FB, and that didn’t have any drawbacks.
    As a matter of fact, that kind of sites only work if enough people believe it will work. If people don’t join them, they can never get something done.

    • crystall
    • 8 years ago

    IMHO nuke from orbit is the only real option. Every new computer should be wiped clean; you can’t trust an OEM installation. They are all riddled with garbage even though it might be harmless garbage.

    Ironically enough in their budget lines Lenovo is also selling laptops without a preinstalled OS which would always be my choice these days.

    • drsauced
    • 8 years ago

    Disturbing, but not unexpected. It’s been going on for so many years, the collection and sale of user data.

    At work we generally build an image for new machines. I say generally because it depends on the vendor and model. With Dell laptops and desktops, yes, absolutely, nuke and reimage. Some laptops are fine, like the Latitude 7450’s, just a little bit of uninstall takes care of most of the bloat. It’s a little bit faster distributing machines this way, but there’s always a chance of something lurking.

    We recently took delivery of a Flex 2, and after first boot, it was clear that it needed a nuke back to Windows 7. It wasn’t easy either, I had to find and hack drivers for the touchpad that would install correctly for Windows 7. Other than that, 2 months later, it’s been a pretty good piece of hardware.

    • just brew it!
    • 8 years ago

    It is common practice for web security/filtering/monitoring software, including corporate firewalls and web proxies. You can argue whether doing this is “right” but the fact remains that these are considered to be legit applications.

    If you work at a large corporation, try accessing a HTTPS site from your corporate desktop, then examine the security certificate. I give you even odds that the issuer will show up as the vendor of your employer’s web filter, not the site you visited. Ditto if you have “Net Nanny” type software installed on a PC used by your kids. AV applications with real-time web malware protection (e.g. Avast) do it too.

    And I did use the qualifier “ostensibly”.

    • VincentHanna
    • 8 years ago

    There is a “legit” reason why software installed on people’s computers was hijacking secure connections and forging new SSL certificates? Do tell.

    • dragontamer5788
    • 8 years ago

    [quote<]There was a time when you could count on decent AV or malware protection and being smart about the sites you go to and the software you download.[/quote<] Exactly what year was that? It must have been earlier than 2005... [url<]https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal[/url<]

    • Thresher
    • 8 years ago

    I am talking about their online hardware store, not their OS.

    • just brew it!
    • 8 years ago

    How could they be proactive against something that was being used in dozens of ostensibly legit software products? All they can do is react, now that Komodia has been proven to be a security train wreck.

    • just brew it!
    • 8 years ago

    They don’t provide any links to back that up. If it’s the study I’m thinking of, IIRC they counted security bugs reported against anything in the Linux distro’s repository. In other words, they were comparing the entire Linux software ecosystem against Windows (the OS), which is rather disingenuous.

    • just brew it!
    • 8 years ago

    Yeah, but at least in that case you should be able to easily do a wipe and clean re-install, since you don’t need to rely on the vendor’s pre-infected restore image.

    • just brew it!
    • 8 years ago

    It gets even better (or worse, depending on how you look at it). The Komodia software allegedly also contains a rootkit: [url<]https://gist.github.com/Wack0/f865ef369eb8c23ee028[/url<]

    • marraco
    • 8 years ago

    Microsoft Store is full of spyware. Store itself is malware: Is unnecessary, you never are asked your permission to install it, you cannot remove uninstall, or delete it. It is a monopolic abuse of dominant position, because locks you into MS business, it comes with a load of spyware, and useless software that you never asked, do not need, and do not want, and is integrated with the OS, including integration with Skydrive.

    • marraco
    • 8 years ago

    Windows 10 Preview also comes loaded with a mountain of factory malware that you don’t need (err, I mean “apps”), and you cannot remove most of them, unless you want to manually delete files, and breaking the OS.

    Once upon a time, when you bought a Windows disk, you had the advantage of installing a clean OS. No more.

    After installing Windows 10, it tries lots of times to force you to log on MS spynetwork, and never makes clear any distinction between your administrator password, and MS online password.
    Even if you are smart enough to create a local account, it tries to log you to MS with any excuse, mirroring the behavior of any cheap phishing malware that tries to make you send them your private passwords.

    The worst offender is MS Store spyware. You cannot uninstall it, and if you make any attempt to block, stop or delete it, you are excluded from updates.

    Also, MicroSpyware thinks that you want it to manage your camera. It installs camera software even if you do not have any camera installed. You cannot uninstall or disable it. It starts without your permission, and consumes memory and CPU. It tries to force you to upload your photography as online avatar, and has no care about your privacy, your age, doesn’t care if you are a minor, or if you are naked or just looking bad.

    Skydrive and Onedrive? they send copies of your private files to microSpyware, and you cannot remove any of them. There is now way to uninstall. Even if you delete his files, it reinstalls with any excuse, witouth asking. Beware, when you are offered any “live service”, install any MS office thing, or just click on lots of MS baits, you get again unninstallabre onedrive, skydrive, and all the MicroSpyware icrap.
    They run in background even if you never accepted to use any service from MS spyware network.

    • way2strong
    • 8 years ago

    That’s not fair, the Linux category is just the kernel. Not sure how they defined OS X though.

    • terranup16
    • 8 years ago

    Totally a better idea, right?

    [url<]http://winbeta.org/news/forget-windows-most-vulnerable-operating-systems-2014-were-mac-os-x-and-ios[/url<]

    • dragontamer5788
    • 8 years ago

    Virus scanners are reactive by design.

    McAfee cannot “proactively” close security vulnerabilities in Windows. [b<]Only[/b<] Windows can do that. Ditto with Apple and Red Hat or Debian. Proactive is about security audits, security research and the such. Microsoft, Apple, and Linux maintainers (Red Hat / Debian / Ubuntu) are proactive about security in general, but they're not perfect. EDIT: It seems like OEMs (Lenovo, Dell, HP, Toshiba) are in a weird place. They [b<]should[/b<] be proactive about their default loadouts, but they clearly aren't. In either case, anti-malware firms cannot "proactively" secure your systems. Malware has to exist before the virus scanner can be updated to catch the virus. Its the innate-design of virus scanners.

    • MarkG509
    • 8 years ago

    Profit?

    • MarkG509
    • 8 years ago

    My Linux Mint boxes just got a Root CA update for FireFox that nukes the bums from orbit (in the nicest way possible):

    “This package includes PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections. It includes, among others, certificate authorities used by the Debian infrastructure and those shipped with Mozilla’s browsers. Please note that Debian can neither confirm nor deny whether the certificate authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. Full responsibility to assess them belongs to the local system administrator.”

    • MarkG509
    • 8 years ago

    Nope. All trust is lost. Time to offer with nothing preinstalled and fully open-source firmware.

    • MarkG509
    • 8 years ago

    The skilled reader would have noticed that they split off the IE vulnerabilities from the Windoze bugs. Add the two categories together and Windoze loses.

    • kamikaziechameleon
    • 8 years ago

    Seems like internet security is a house of cards and one bad product brings it all down.

    • dragontamer5788
    • 8 years ago

    If it only were a Trojan. Flashback was installed through a [b<]drive-by-download[/b<] (which is why it got so bad in the first place) [url=http://www.thesafemac.com/dr-web-announces-new-iworm-malware/<]iWorm[/url<] was a Trojan from October 2014. So it demonstrates that Mac continues to get viruses regularly. Shellshock also affected Macs (we've got a few apache instances in my lab), so yes that was an issue I had to deal with. Even "softer" viruses, like the [url=http://botcrawl.com/how-to-remove-apple-fbi-cyber-department-virus/<]FBI Ransomware[/url<] bug are widespread in the Mac world today. Or perhaps the [url=http://www.theinquirer.net/inquirer/news/2327990/trojan-steals-bitcoins-from-mac-os-x-users<]BTC Wallet stealer of 2014[/url<]? Was your security team ready to deal with [url=http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/<]WireLurker[/url<]? I can continue to list off Mac viruses and trojans till I'm blue in the face, but it doesn't seem like you're willing to listen. Macs (and Linuxes) get viruses, and any serious corporate lab manager needs to take appropriate precautions. [quote<]They ask you for advice about what to buy and you know that you're the one who's going to get calls about cleaning up their computer every once in a while. For free, of course. Do you recommend them to buy a PC or a Mac? After I switched my mom over to a Mac, I've yet to get a single call about the browser opening up unwanted pages or 'Google not working'.[/quote<] My Mom is on this ancient WinXP desktop machine. I'd recommend anything recent honestly that isn't Linux. I've taken my Mom to a iMac store, and said "If you can check your email,I'll help you out with the Mac". She couldn't even figure out how to open up Safari, or close it on her own. So yes, I buy Windows for my mother. Maybe my Mom can learn that left-clicking the top-left of windows will close them on Mac one day... but for now, she's clearly most integrated with the Windows "top right corner to close" and so forth. Believe it or not, switching interfaces is a very confusing thing for computer newbies. My mom can't close windows, or use the taskbar on any program in Mac OSX. She's somewhat competent on Windows, able to write Word Documents and use Excel, check her email and send attachments even (omfg, that took too long to teach her). And I'm not going to go through that process [b<]again[/b<] just because Macs are cool. Good thing I did a test run at a Mac store before I pulled the trigger. Oh yeah, and she doesn't use the Win7 laptops I got her. She's always going back to the old WinXP machine :-(. So... it probably doesn't matter. My Mom is gonna stick with her old machine till that thing breaks. EDIT: She also got an iPhone, and I helped her transfer her contacts and everything from her Samsung to the iPhone 6. After a few weeks of hard work, I suddenly realized that my mom had a Galaxy S5 :-(. So... that was a lot of wasted effort as well. I think people overrate the "ease of use" of the iThingies. In my experience, my Mom wasn't able to learn how to use them. [quote<]Or here's another perspective: our company (major multinational) allows BYOD. They take security very serious. Etc. For PC laptops, we are required to install a company sanctioned virus scanner, for Mac we are not. Maybe they're idiots, or maybe they see the same thing I see.[/quote<] Your security team is ignorant. Probably not idiots, but ignorant for sure. Virus scans need to exist on Linux, Mac, and Windows... and [b<]easy[/b<] virus scanning solutions exist on all platforms. Furthermore, I've got vulnerability scans running on my network and regardless of the platform I make sure to fix those vulnerabilities. We don't do BYOD in my lab, so its my responsibility to keep people safe. I don't have anything against Linux or Mac. As stated, I have control of a lab with Windows, Linux and Mac machines. And as such, I have to work to keep the lab safe. I'm not quite perfect at the job, but I try to make sure my ignorance won't blindside me.

    • MathMan
    • 8 years ago

    We both agree that they have malware. But we disagree about the extent of it. Pointing to 2012 Trojan on the Mac is not the kind of argument that’s going to convince me. One dangerous worm is less of an issue than hundreds of less dangerous ones. To me, it’s about the total scope of the problem.

    Here’s a simple question: you have 10 computer noob family members. Your YouTube ripping nephew. Your 60yo mother. Etc.

    They ask you for advice about what to buy and you know that you’re the one who’s going to get calls about cleaning up their computer every once in a while. For free, of course.

    Do you recommend them to buy a PC or a Mac?

    After I switched my mom over to a Mac, I’ve yet to get a single call about the browser opening up unwanted pages or ‘Google not working’.

    Or here’s another perspective: our company (major multinational) allows BYOD. They take security very serious. Etc. For PC laptops, we are required to install a company sanctioned virus scanner, for Mac we are not. Maybe they’re idiots, or maybe they see the same thing I see.

    • dragontamer5788
    • 8 years ago

    [quote<] 4. I also sense that from this and other stories that we are becoming more vulnerable over time.[/quote<] No, you aren't. You're actually much safer than before. All of this news stories are much tamer than Blaster, Melissa, Conficker and so forth. We have [b<]long[/b<]-past the age when 20%+ of computers would get infected. These ancient viruses that infected 20% of the world just don't happen anymore. What we have here is a small subset of computers being left vulnerable to crapware. This has happened for many years, but computer users as a whole are finally "waking up" to the issue. Thank goodness for that too. [url<]http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal[/url<] I welcome this age as ignorant computer users are finally becoming savvy enough to understand these issues. But do not despair, we're in an [b<]age of enlightenment[/b<].

    • tootercomputer
    • 8 years ago

    I will be very honest. I’m a fairly educated person and I love to build and maintain and tweak desktop computers. This is why I’ve been a long-term fan of TR (and too broke of late to be a paid member:)). That said:

    1. I do not have the technical knowledge to understand most of this article.
    2. But thank you for writing it and putting Superfish in some context.
    3. What I do get is that things are truly a mess and seem out of control actually.
    4. I also sense that from this and other stories that we are becoming more vulnerable over time.
    5. Is this as dire a situation as it appears? Has there been a major shift in vulnerability of late?

    • dragontamer5788
    • 8 years ago

    [quote<] It's a very simple truth that, as a Mac user, you simply have to worry less about it. That is all.[/quote<] [url<]http://blog.trendmicro.com/iworm-a-wake-up-call-for-mac-security/[/url<] Sure you don't. Macs have malware just like everyone else yo. As long as you stick your head in the sand and rely on "Apple Magic" to protect you, your community will continue to get hammered by security vulnerabilities. Now that Macs have reached more than a 5% install base, malware authors are realizing that they are an untapped market for infections, identity theft and so forth. Yall better virus-scanner up and start taking the security threat seriously. Mind you, I'm in charge of Macs and Linux machines at work. I'm up for multi-platform and all that good stuff, and unlike a lot of lab managers I'm willing to support multiple platforms for my users. But I do take the security threats seriously, no matter what platform they occur on.

    • MathMan
    • 8 years ago

    Flashback affected 1% of the installed base. Or about 600K users. Not great, but not a disaster. And, yes, nothing is invulnerable. And, yes, Mac users are not as well trained for viruses as PC: FOR A REASON.

    It’s a very simple truth that, as a Mac user, you simply have to worry less about it. That is all.

    • derFunkenstein
    • 8 years ago

    Well, yeah, but ti’s almost like Lenovo went to an extra step to prevent people from being protected (after the fact, I guess)

    • cheesyking
    • 8 years ago

    Those are pretty meaningless numbers since MS don’t necessarily get a CVE number for every bug they fix or are even aware of. If you bring Snowden into it then MS are even willing to share those undisclosed bugs with other people before publishing them or fixing them.

    (not defending Mac security here, the same is true for them and in terms of security I’d say that for the past few years MS have been doing a better job than Apple.)

    Basically the number of published bugs is going to have very little to do with the actual number of bugs when you compare open with closed source software. TBH even comparing closed with closed it’s not very useful as different companies will have different policies on disclosing bugs and different abilities in finding bugs in the first place.

    Bring it back on topic though, since superfish isn’t a windows bug. One thing you can be sure of is that Apple would never preinstall crap like this on Macs and even though the Ubuntu Amazon thing was very smelly, it’s nothing like the rotting fish smell that now surrounds Lenovo.

    • chubbyhorse
    • 8 years ago

    LOL
    Thank you for this!

    • dragontamer5788
    • 8 years ago

    [url=http://www.pcworld.com/article/253403/mac_malware_outbreak_is_bigger_than_conficker.html<]Flashback alone has infected more Macs by percentage than even Conflicker[/url<]. The worst Virus on Windows [s<]of all time[/s<] [b<]of the last 10 years[/b<] infected fewer computers (percentage-wise) than the OSX Flashback virus. Furthermore, OSX Flashback occurred only last year, when security protocols should have been far better. (Conflicker was on the ancient WinXP platform... built before computer security was a major issue. Modern Windows has much more security controls than back then) EDIT: Woops, forgot about Blaster. Blaster hit 20%, which is still much higher percentage than OSX Flashback. Nonetheless, Flashback remains the worst computer security flaw of the last 10 years. Don't bury your head in the sand yo. The worst virus infection rate [s<]of all time[/s<] of the last 10 years is currently held by Flashback on Mac OSX. PC Users are actually trained against viruses, which mitigate threats at this point. Users regularly scan PCs with virus scanners and are careful with websites. The Mac world however believe in Steve Job's magic to protect them... or something. So when a drive-by-download remote code execution worm hits the Mac World, it hits [b<]hard[/b<]. EDIT: "Of all time" was the Blaster Worm. "Of the last 10 years" was Flashback OSX however, so my point remains..

    • dragontamer5788
    • 8 years ago

    Unfortunately, very few companies offer “genuine Windows” without crapware at the consumer-level prices (~$600 laptops). Lenovo just so happened to be the one who got caught. But Dell, HP, Asus and Toshiba are all guilty as well. The higher-priced segment ($1200+ business laptops) don’t [b<]seem[/b<] to have this issue. The issue in general is OEMs making deals with shady adware / spyware / crapware companies, who then subsidize the laptop by essentially installing an advertisement onto your PC. No OEM does security research. Android also has a similar issue, as phone companies also install crapware (potentially with security vulnerabilities). Does anyone actually trust "NASCAR Sprint Cup Mobile"??

    • MathMan
    • 8 years ago

    This would be a valid point if you’d treat it as a mathematical existence proof. But we’re talking practical, real world experience.

    Let’s say it this way: adware and malware on Linux and Mac are so unusual that, when they appear, they result in journalists writing articles about it. 🙂

    • NTMBK
    • 8 years ago

    Good luck doing that with a laptop…

    • NTMBK
    • 8 years ago

    Yup. If the company has proven willing to thoroughly sabotage security in return for a couple of advertising dollars, I no longer trust them. At all.

    • MadManOriginal
    • 8 years ago

    [url<]http://www.prestige-five.co.uk/wp-content/uploads/2013/05/Dido-308-8.jpg[/url<] The conspiracy gets crazy?!

    • MadManOriginal
    • 8 years ago

    Careful, you’re poking at two rabid fan bases at once!

    • dragontamer5788
    • 8 years ago

    [quote<] What matters is that malware and adware for those 2 OSes either doesn't exist o, one way or the other, doesn't manage to get itself installed.[/quote<] Erm... Flashback was a drive-by-download malware for OSX. [url<]http://www.cnet.com/how-to/mac-flashback-malware-what-it-is-and-how-to-get-rid-of-it-faq/[/url<] "Linux" doesn't get infected because Linux isn't a platform. But "[url=http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.802045<]Debian[/url<]" gets infected. "[url=http://www.computerweekly.com/feature/Virus-wake-up-call-to-Redhat-users<]Red Hat[/url<]" can get infected. Malware attacks platforms, not "Linux" in general. EDIT: Bad link, had to retype it.

    • mcnabney
    • 8 years ago

    Or build your own. I hear that some people that frequent TR might do that.

    • way2strong
    • 8 years ago

    Does giving information on vulnerabilities to any government agency that asks make those vulnerabilities count for more in that analysis?

    • MathMan
    • 8 years ago

    Maybe you’re right, maybe you’re not. It doesn’t matter.

    What matters is that malware and adware for those 2 OSes either doesn’t exist o, one way or the other, doesn’t manage to get itself installed.

    So even if they’re theoretically more vulnerable, they’re way safer in practice.

    And that means that I get tons of calls from family member with Windows to clean up stuff and none ever from those who own a Mac.

    • cmrcmk
    • 8 years ago

    For friends and family, I’ve always gone through and individually cleared the crapware that comes bundled on retail PCs. This whole episode is making me think your approach is worth the added time.

    • anotherengineer
    • 8 years ago

    Dido, and for family/friends that have purchased desktops also.

    • cmrcmk
    • 8 years ago

    To be fair, anyone relying on McAfee is already in trouble.

    • Thresher
    • 8 years ago

    There was a time when you could count on decent AV or malware protection and being smart about the sites you go to and the software you download.

    Not anymore.

    Not if OEMs are going to package this crap in from the get go.

    My bet though is that this isn’t the only piece of crapware that OEMs have been installing that is this dangerous. This is just the first that’s been caught.

    BTW, other than buying a Mac, if you want to make sure your new PC has zero bloatware on it, buy from the Microsoft Store. They do not allow any crapware on their stuff and they usually have decent prices.

    • Goofus Maximus
    • 8 years ago

    Thank you, Paul Harvey. I miss hearing him on the radio.

    • Goofus Maximus
    • 8 years ago

    I’d rather widen the scope by calling the originating culprit in the name, so I vote for:
    #Komodigate!

    • Kretschmer
    • 8 years ago

    Why are anti-malware firms being reactive instead of proactive on this one? Is that their business model? (Honest question.)

    • derFunkenstein
    • 8 years ago

    Microsoft has updated Security Essentials definitions to nab and remove Superfish, as Ryu said, but unfortunately since those machines shipped with a McAfee trial, MSSE disables itself by default. And since McAfee doesn’t think it’s malware, you can’t count on your AV software to save you. Whoopsies.

    • guardianl
    • 8 years ago

    I’ll just leave this here:

    [url=http://fudzilla.com/news/37082-apple-and-linux-buggier-than-windows<]OSX and Linux have more serious security bugs than Windows[/url<]

    • qasdfdsaq
    • 8 years ago

    What are we going to call this scandal? #FishGate?

    • Arxor
    • 8 years ago

    Great recap Ryu.

    And only tangentially related, but the unexpected fish picture made my morning.

    • Anovoca
    • 8 years ago

    In related news, a possible new OSI model has just been leaked: [url<]http://i275.photobucket.com/albums/jj303/anovoca/Mobile%20Uploads/FB_IMG_1424701120577.jpg[/url<]

    • dragontamer5788
    • 8 years ago

    What if Superfish and Komodia were preinstalled on Linux as well?

    The root issue is with Lenovo. If they’re installing crapware on Windows, they’ll almost certainly be installing crapware on Linux (eventually)

    • Goofus Maximus
    • 8 years ago

    Okay, it was totally creepy reading that an ad-aware extension was using this komodia root certificate thing with it’s “one step better than 12345…7” password protection: komodia.

    • Deanjo
    • 8 years ago

    Time for Lenovo to start offering linux pre-installed again.

    • Flatland_Spider
    • 8 years ago

    You know, if the first thing done is a clean install (Linux for me), then none of this really matters.

    • dodozoid
    • 8 years ago

    [quote=”Ryu Connor”<]You can take off and nuke it from orbit. It's the only way to be sure.[/quote<] been doing that to my laptops since forever

    • Ninjitsu
    • 8 years ago

    Or any other of their 100 clients.

    • chuckula
    • 8 years ago

    [quote<]using a tool like PwnStar against a machine sporting one of these certificates[/quote<] I don't think pwnstar will take too kindly to you calling him a tool.

    • Deanjo
    • 8 years ago

    [quote<]6. Don't buy a Lenovo product ever again.[/quote<] More like: [quote<]1. Get a Mac[/quote<]

    • chuckula
    • 8 years ago

    And now we know… the rrrrrrrrrrrest of the story.

    • NTMBK
    • 8 years ago

    You forgot
    [quote<] 6. Don't buy a Lenovo product ever again. [/quote<]

Pin It on Pinterest

Share This

Share this post with your friends!