The Superfish story broke properly yesterday and is at full pitch today. Lenovo shipped consumer laptops with a piece of bundled adware called Superfish Visual Discovery, which inserts product comparisons into image searches. To do this against HTTPS pages, it installs its own root certificate authority into the Windows trust store and runs as a man-in-the-middle on outgoing TLS connections, presenting browser-trusted certificates that it has issued itself.
That is bad. The detail that takes it from bad to disastrous is that the same Superfish CA private key is shipped on every affected laptop, and Robert Graham at Errata has extracted it (Errata Security, "Extracting the SuperFish certificate"). The password protecting the keystore was the string "komodia". Anybody on the same coffee-shop wifi as a Superfish-infected laptop can now issue a certificate for any website and have the laptop's browser trust it, end of story. There is no further attack required.
The CERT/CC vulnerability note (VU#529496) and US-CERT alert went out today. Microsoft has updated Defender to remove Superfish; the new signatures are pulling the binary and, importantly, removing the certificate from the trust store (MMPC blog post). Lenovo's first statement was poor — they characterised the issue as not a security concern and pointed at a Superfish toggle as the remedy. By Thursday evening they had walked back to a fuller statement and shipped a removal tool. Expect the legal exposure conversation to be lively.
The deeper concern is structural. Superfish is one of a class of products that operate by interposing on TLS — the technique is sometimes called SSL interception, sometimes content adaptation, depending on whether you are selling it or describing it — and the same architectural pattern appears in a number of other shipping packages. Komodia, the company whose SDK Superfish uses for the certificate-substitution work, lists multiple customers. Filippo Valsorda's online checker is producing a steadily lengthening list of affected products today (filippo.io/Badfish). The same-key-everywhere problem is not unique to Superfish. It is a general consequence of a vendor shipping a certificate authority as part of a software product, and the answer to the same-key problem — issuing a per-installation certificate from a vendor-managed signing service — is operationally non-trivial and creates its own privacy concerns.
For the SOC, there are two pieces of work this morning. First, detect Superfish on customer endpoints. The simplest approach is a registry check for the Superfish entries combined with a check for the Superfish CA certificate in the trust store; we are pushing this as an OSSEC active response across the customer fleets where we have agent deployment. Second, alert on certificate-presentation anomalies in TLS traffic — this is harder, because we do not generally inspect customer TLS, but for inline gateways with policy-based interception, the appearance of a Superfish-issued certificate on outbound connections is detectable.
For the vCISO clients, there is a procurement question. The line "we only buy enterprise-class hardware, this does not affect us" is one I have already heard twice today. It is partially correct — the affected Lenovo lines are consumer-grade and Lenovo has stated that ThinkPad and ThinkCentre products do not ship with Superfish — but it is also too narrow. The procurement conversation is not "are we affected by Superfish"; it is "what is in our supply-chain trust assumption, and what are we doing to verify it". Browse Jacobson's last assessment of laptop supply included spot-check trust-store reviews on receipt; that practice is going to be in more programmes from this week onward.
The third order effect is on the user trust model. The reason Superfish can do what it does is that the operating system trusts the local machine's root store as authoritative, and the browser inherits that trust. There has been a quiet conversation among browser vendors about pinning, about certificate transparency (RFC 6962), about reducing the level of authority a single rogue CA can wield. Superfish is going to give that conversation more momentum. Expect to see more aggressive pin enforcement, more public-key pinning, and more pressure for Certificate Transparency log mandation in the next few months.
The bit I find personally galling is the password. "komodia". A keystore password. Shipped to every customer. The technical sophistication required to find a flaw of this severity is precisely zero. Robert Graham mentioned in his post that he extracted the key in approximately three hours, and most of that was figuring out the file format. The vulnerability is not in the cryptography; it is in the basic discipline. That is the lesson worth keeping for Tuesday's vCISO call.