Superfish Security Certificate Password Cracked, Creating New Attack Vector

In a followup to today's news about junk software included with Lenovo computers, an anonymous reader writes Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the adware which has caused Chinese computer manufacturer Lenovo such embarrassment in the last day. Since SuperFish is already capable of carrying out man-in-the-middle attacks over secure connections on the Lenovo machines which use the certificate, the disclosure of the certificate's password presents hackers with a 'a pre-installed hacking environment' which would be difficult to arrange by other means. The password, "komodia," is also the name of the Komodia Redirector framework, which allows its clients to manipulate TCP/IP network sessions "with a few simple clicks."

Re:No words

[Gr8Apes]

It already happened to Sony, recall the CD rootkit incident? That was even more evil, as it wasn't just malware, but an actual attack. Sony's still around but they seem to be having some financial trouble of late or something. Karma sure can be a bitch.

Re:Nice try

[KevReedUK]

Think it through...

1) Drive F/W gets infected.
2) Drive infects OS and UEFI on boot.
3) You detect malware, but don't realise it's in the F/W of the drive. You disinfect the drive and reboot.
4) You notice the malware is still evident, but can't find any trace of it on the drive. You detect it in the UEFI and flash that to get rid of it.
5) You notice it's STILL there, so you assume it must be so deep in the UEFI that you can't get rid of it (which many would consider far more plausible than it being in the DRIVE F/W!). You therefore replace the whole PC, but swap the disk over as you believe the drive (which you have now "securely" wiped) is safe.
6) Guess what's now infected!?!

OR (more likely) you infect an external hard disk and find that you're still spreading malware from machine to machine throughout the PCs of your company/family/friends/whatever, even after you have "securely" wiped it.