By now, everyone who works in the realm of IT Security has heard of the Lenovo Superfish fiasco. Today, I’m going to give a moderately technical overview of Self Signed Root Certificates and how Superfish exploited them.
After this post, each of you can check the Root Certificates installed on your systems and take action against anything that looks “fishy” (pun totally intended).
What is Superfish?
Superfish is a third-party advertisement application Lenovo pre-installed on certain retail computers which injects advertisements within search engine results and shopping websites.
On the surface, this might seem like just another annoying piece of ad-ware (which it is!), but the real issue comes from the fact that Superfish works by intercepting encrypted internet traffic, including data ranging from Google searches to Bank websites.
The way Superfish does this is by utilizing a Self-Signed Root Certificate pre-installed by Lenovo on the system then replacing legitimate site certificates with its own, allowing it to read the contents of the encrypted internet traffic and inject advertisements.
This process is analogous to a “man-in-the-middle” attack and is sometimes referred to as SSL hijacking.
To add insult to injury, Superfish is utilizing a deprecated type of certificate with a very weak encryption scheme. Further, the software is forcing the weak certificate for each and every encrypted website users are accessing on their systems.
3 Steps to Fix the Superfish Security Hole
To check out if the Superfish certificate exists on your Windows operating system and to remove it follow these steps:
1. Open the Microsoft Management Console (MMC.exe) and add the “Certificates” snap in (detailed instructions found here).
2. Locate the Trusted Root Certification Authorities folder and start scrolling down. If you find the Superfish Certificate on your system, right click and delete.
3. The list of trusted Root Certificates that Microsoft requires on Windows operating systems can be found here. Try comparing them to what is currently installed on your OS.
Audit Note: The Lenovo Superfish fiasco serves as a good reminder that just because you removed the ad-ware doesn’t mean the Root Certificates which allowed the ad-ware to function were removed as well. For example, if you were to discover Superfish were installed on your system, simply uninstalling it from Add/Remove programs doesn’t close the security hole, the Self Signed Root Certificate must also be manually removed.