Superfish and Lessons Not Learned – Preloaded Malware

Our customers regularly develop products for Windows systems. Due to the dynamics of today's laptop and desktop market, machines hosting Windows operating systems often come pre-packaged with a variety of "bloatware". Therefore it is especially problematic that, like in the case of Superfish, software disguised as harmless bloatware can in actuality be malware. In this post, ISE begins by giving a high-level overview of the history of bloatware and products stemming from its evolution. We conclude with our recommendations for avoiding bloatware, like Superfish, in the future.

Superfish and Other Bloatware

Computer manufacturers have long been known to bundle a large number of add-on software packages into the factory install of the Windows operating system, particularly on their consumer-grade computers. These packages often consist of trial-based or advertising-supported software, and are derisively known as "bloatware" for increasing memory and disk usage and reducing performance, compared to a clean Windows installation from Microsoft-provided media. Technical users regard these packages as a nuisance and either uninstall them or reinstall Windows; enterprises often sidestep the issue by reimaging systems upon purchase with a clean OS image that they create through Microsoft's volume licensing program.

The recent example of Lenovo's Superfish software shows that these programs can be far more than a nuisance. In order to allow the software to inject advertisements into secure (HTTPS) websites, Superfish automatically installs its own custom certificate authority into the system's trust store. This certificate authority allows the Superfish software to intercept proxy browser connections to HTTPS web servers without triggering a browser security warning.

Worse, this certificate and its associated private key are hard-coded into the Superfish software, and shared across all Superfish installations. Anyone with a copy of Superfish can extract the certificate and private key within it, and then use that key to silently perform man-in-the-middle attacks against Lenovo computer users [1]. Therefore, installing the Superfish software completely undermines the certificate authority security model that protects HTTPS-based connections from interception or server impersonation. The presence of Superfish on a computer system should be treated as a malware infection and handled accordingly.

Given this example, computer manufacturers should reconsider their practices of preinstalling Superfish and other bloatware on their machines. (Note, other manufacturers, like Nokia, have been guilty of similar issues [2].) All bloatware increases the attacksurface for the average user. These nontechnical users have no way toknow whether a process running in the background is a necessarycomponent of their computer, or not. The "value" added by bloatware isto another company, not the end user. Given that it is installed bydefault, and a hassle for users to remove, manufacturers should hold preinstalled software to the same security and quality standards as the operating system itself. To do otherwise is irresponsible, and does a disservice to the Internet community at large by introducing needless security risks.

Suggestions

We recommend the following to a) combat the security risks presented by bloatware and b) allow users an easier uninstallation process:

  • Lenovo users should understand that they are using these machines at your their risk, and if dealing with other parties' sensitive information or communications, are exposing them to that risk as well, so long as the Superfish malware resides on their Lenovo systems.
  • Anti-virus vendors should incorporate signatures into their products that regard the Superfish software as malware and allow the user to remove it.
  • Microsoft, Google, Mozilla, and other browser vendors should issue certificate updates that permanently blacklist the Superfish certificate authority from ever being trusted by their software.
  • Non-technical end users should purchase future computers from manufacturers who do not bundle bloatware. For example, Apple has avoided bundling third-party software with their products for many years; Microsoft offers Signature PCs for Windows users who wish to avoid bloatware, but charges a premium for the service.
  • Computer manufacturers should bundle Windows reinstallation media with their products. Reinstallation media allows technical users to reinstall a clean copy of Windows, in contrast to recovery media, which reinstalls the full factory image, including all bloatware. Once a routine practice, the bundling of reinstallation media is virtually unknown today. Lenovo was among the earliest manufacturers to stop providing this media.
  • Manufacturers who insist on bundling preloaded software should perform a rigorous security review of the software before allowing it. The manufacturers could provide a more user-friendly experience by displaying a dialog on the system's first boot, allowing the user to select any desired software rather than preinstalling all of the software.

Additional Information

Readers interested in further technical details about Superfish and bloatware in general can reach us at: contact AT securityevaluators DOT com

References

  1. Extracting the SuperFish Certificate
  2. Nokia Running A Man In The Middle Attack To Decrypt All Your Encrypted Traffic, But Promises Not To Peek