Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ars: SSL-Busting Code That Threatened Lenovo Users Found In a Dozen More Apps

Posted by timothy on from the keeps-on-giving dept.

Ars Technica reports on the continuing revelations about the same junkware that Lenovo has shipped on their computers, but which is known now to be present in at least 14 pieces of software. The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider. ... What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Matt Richard, a threats researcher on the Facebook security team, wrote in Friday's post. "Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."

7 of 113 comments (clear)

  1. Re:Mossad connection by Anonymous Coward · · Score: 1, Insightful

    Israel is an "ally" only to the extent we allow them to be in order to serve our own interests. Mossad isn't a friend so much as the (irresponsible and unhinged) enemy of an enemy.

  2. Re:List 'em in the summary, slashdot. by Anonymous Coward · · Score: 3, Insightful

    That's supposed to be the list? Thanks, Ars Technicrap. Nnot only is that not "at least 12", the few things on that list that are actual software are already known to be malware.

  3. Re:Block off programmatic access to cert trust. by BitZtream · · Score: 4, Insightful

    And if your machine can automatically do all those things ... so can third party software because in order for you to do everything you want to do, there has to be a pragmatic way to do so, and if the OS can do it, so can any other software that has admin rights.

    Either way, you don't want to put that sort of power into the vendors hands, since it means they effectively have created the Apple App store, and if thats what you really want, just buy a Mac and stop using Windows (your first mistake).

    The only way to prevent this sort of thing is by not installing software that does it.

    But lets ignore all the problems with what you're suggesting and assume it works ... Lenovo would have just approved the certs before they shipped the machine. Or the machine would prompt the user, who would blindly do so on boot, just like all the other things users blindly do.

    If you want to prevent this from happening, put the people who do this AND the people who make the decisions to do this, IN JAIL.

    Both the developers who write the code to do it and the management who tells them to do so. Assign some personal responsibility for this shit and watch how it suddenly changes. The problem in America is that anyone in a company can basically do whatever they want and hide behind 'the company' who then gets some minor fine (Relatively) and the guy who did it doesn't care one bit.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  4. Re:Mossad connection by wiredlogic · · Score: 4, Insightful

    They're a paper ally because they provide a convenient way to funnel our "aid" money into domestic arms production. A state that is always at war always needs bullets and we're only too happy to buy them on the American taxpayer's behalf, "gratis". This helps float the MIC when we're in between wars. Holocaust guilt prevents any criticism from gaining public traction.

    --
    I am becoming gerund, destroyer of verbs.
  5. Re:If the software is this bad by Anonymous Coward · · Score: 3, Insightful

    Sure, but in the bigger picture, the lion's share of all these security problems lay firmly in Window's lap. It's almost impossible to imagine an app with this kimodia garbage getting signed by Apple, or inserted into a Linux/BSD repo.

    We're not even talking about PEBKAC here, it's an extraordinarily serious issue that affects the entire Windows ecosphere because it's prepackaged. Every box that ships with Windows comes from a vendor who only cares about making a few extra cents per unit.

    Notice I didn't necessarily say Microsoft was to blame, just that using Windows is like playing Russian roulette with your financial and social well-being. "It's getting pretty crazy" because just by booting up a Windows system means 5 of the 6 chambers have a bullet.

  6. Microsoft's fault by countach · · Score: 3, Insightful

    Microsoft needs to grow a pair and lay down the law to any company that wants to be an OEM for their products. Apple wouldn't let the carriers pull this stunt on their phones.

  7. Re:Mossad connection by Severus+Snape · · Score: 3, Insightful

    Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored. That would also help explain why Homeland Security put out urgent guidance to remove the crapware and even Microsoft added detection directly to their anti-malware tools. NSA doesn't like being upstaged on its own turf.

    I love a good conspiracy as much as the next one but calm yourself. No idea why you got the + mod points. Jumping to random conclusions based on conjecture is silly. That said, I'm sure MOSSAD likes to get up to all kinds of evil shit. Just like their Five Eyes, Russian, and Chinese colleges do. Homeland Security and Microsoft reacted to Superfish because the information was in the public domain. In the same way we are reacting to it by discussing it right now.