Superfish Fallout: Lavasoft And Comodo Also Putting Users At Risk
Last week we ran a post on how Lenovo shipped software that allowed for SSL to be bypassed. Then we found out that more apps used the same encryption stripping leaving users open to attack. The hemorrhage continues this week with announcement from security research Filippo Valsorda that the antivirus company Lavasoft used similar SSL interception code in the Lavasoft Ad-aware Web Companion. The Lavasoft vulnerability is actually worse than the Lenovo one. Basically any SSL cert can be stripped leaving users open to attack by the noobest of noobs.
Oh and it gets worse. Comodo, the largest provider of SSL security certificates on the internet, has security software called PrivDog. The stand alone version makes your browser blindly trust any self-signed certificate. Filippo notes that the Comodo PrivDog is unique because it does not use the same Komodia technology that Lenovo, Lavasoft, and others connecting this vulnerability together.
The risk is quite severe. This vulnerability allows any attacker to get in between your computer and the web site you think you are communicating with securely. If you have any of the named software your system is at risk. Uninstalling the application may not be fully effective in mitigating the risk. You will also need to purge any of the named root certificates as well.