Superfish, the adware that was being distributed by Lenovo sounded bad enough, right? Well, here’s worse: PrivDog, a tool that tampers with SSL certificates is being promoted by Comodo, a security company. PrivDog has a massive vulnerability that basically allows the same man-in-the-middle attack as the adware, Superfish. However, it is important to note that the version of PrivDog with the problem was never directly distributed by Comodo. It seems the version with the vulnerability was avoided and the previous version of the software was bundled with Comodo Internet Security. In any case association with such an incident is bound to be questionable.
Analyzing the Problem
In order to replace ads on HTTPS protected websites, PrivDog installs a self generated root certificate on the system. Thus, whenever a user tries to access a secure HTTPS website, PrivDog replaces the SSL certificate of the original website with its own local certificates signed with its own, locally installed, root certificate which is essentially a man-in-the-middle proxy. This means PrivDog can be used to decrypt and manipulate otherwise secure traffic.
According to the US Computer Emergency Readiness Team (CERT):
Adtrustmedia PrivDog is a Windows application that advertises “… safer, faster and more private web browsing.” Privdog installs a Man-in-the-Middle (MITM) proxy as well as a new trusted root CA certificate. The MITM capabilities are provided by NetFilterSDK.com. Although the root CA certificate is generated at install time, resulting in a different certificate for each installation, Privdog does not use the SSL certificate validation capabilities that the NetFilter SDK provides. This means that web browsers will not display any warnings when a spoofed or MITM-proxied HTTPS website is visited. We have confirmed that PrivDog version 3.0.96.0 is affected.
Adtrustmedia PrivDog is promoted by the Comodo Group, which is an organization that offers SSL certificates and authentication solutions.
Since it turns out that PrivDog does not properly validate the original website certificates, it could easily be exploited by an attacker and could lead to phishing. This makes the problem even more serious than the one in Superfish.
As stated by PC World:
“Superfish’s mistake was using the same root certificate across all deployments. PrivDog’s mistake is not validating certificates at all.”
Mark James, an ESET security specialist also mentioned:
“The standalone version of PrivDog, when installed, creates [a root SSL] certificate, and it will intercept every certificate it finds and then replace it with one signed by its root key. This enables it to replace adverts in web pages with its own ads from ‘trusted sources’.”
“The implications are massive. One of the biggest problems here is the fact that it will replace certificates with a valid certificate even if the original cert was not valid for any reason. This means it essentially makes your browser accept every HTTPS certificate regardless if it’s been signed by a certificate authority or not”
This major issue is present in PrivDog versions 3.0.96.0 and 3.0.97.0 and anyone using one of these versions should remove the application immediately.
Making Amends
The Adtrustmedia-PrivDog team have released a security advisory warning people of the vulnerability, but surprisingly have assigned it a threat level of “low”. A newer version is also available for download at the company’s site.
The PrivDog team have reported:
A maximum of 6,294 users in the USA and 57,568 users globally are potentially affected by the issue and they will be updated automatically to a patched version
It seems the problem has been patched fairly fast but fixing the reputation of the company will take much longer, especially since PrivDog’s sole purpose is ensuring user privacy and blocking unwanted ads.
Comodo on the other hand responded by saying that the affected version of PrivDog was never distributed by them. The version bundled with Comodo Internet Security was version 2 which was not affected by the vulnerability. Although this is a fair point, it is baffling that an SSL certificate company is supporting and closely related to such software. You would expect a security company to know better.
An Unpleasant Surprise
The most surprising thing in this case are the parties involved. PrivDog (an application that promises safer, faster and more trusted web browsing) and Comodo (a security company that specializes in SSL certificates). Both these companies will have an uphill battle when it comes to regaining the trust of their users. It is definitely shocking that applications that claim to improve security actually end up making their users more vulnerable and prone to attacks.
Have a nice (vulnerability-free) day!
Related Posts:
- Warning! Lenovo pre-loads “Superfish” adware…
- ALERT: Fake ID Lets Malware Impersonate Legit Android Apps
- What is a Digital Certificate?
- Protecting Yourself from Heartbleed
- The Heartbleed Bug: A Critical Vulnerability in OpenSSL
PrivDog, a Comodo add-on also bypasses SSL security
The NSA has made the news headlines a lot lately with frequent attempts to infringe on people’s privacy, but the US is not the only player in the game. French service DGSE is responsible for creating a spyware called Babar which was recently leaked by Edward Snowden. More details on the leak can be found here. This so called monitoring program was used against Iranian nuclear research institutes and universities, European financial institutions, former French colonies and a media organization in Canada.
It’s a known fact that most consumer desktop and laptop manufacturers like to add bloatware to their machines. Most new laptops come with plenty of unwanted software including lots of trials and add-ons. Computer manufacturer Lenovo seems to have taken it to a new level by pre-loading active adware on new consumer laptops. Adware is usually just advertising software but there is a thin line between being just opportunistic and actually shady and malicious. SuperFish, the adware pre-installed in this case comes dangerously close to that boundary and also has some major security holes.
Users report that the adware installs its own self-signed certificate authority which effectively allows it to spy on secure connections, like the ones used in banking websites. This malicious technique is known as man-in-the-middle attack, similar to those used in Heartbleed. Superfish bypasses SSL security, and it has been reported that users who have Superfish installed are now vulnerable to hacking and spying attacks due to it’s cracked certificate. It is surprising and disturbing that a major computer manufacturer like Lenovo is distributing such shady software.
Kaspersky Lab revealed on Saturday that a multinational gang of cyber criminals has stolen up to $1 billion from as many as 100 financial institutions around the world in a few years time. Attacks on ATM machines or individual bank accounts are quite common nowadays. This time the criminals took the unusual approach of stealing directly from banks by targeting bank employee’s computers. The hackers sent emails to hundreds of bank employees that included a malicious link. Once clicked on, a malware program called Carbanak would install which allowed the hackers to get onto the bank’s internal network and spy on the staff’s activities. The malware program recorded keystrokes and took screen shots of the bank’s computers, so that hackers could learn bank procedures and get access to the bank’s administrative system.
Facebook has recently launched a new, dedicated social platform called ThreatExchange. It aims to allow security experts to come together, collaborate and benefit from each other’s information. With cybercrime on the rise, this is a welcome step and could help prevent several large scale attacks in the future.
The latest/updated version of Internet Explorer seems to have a serious security glitch that makes it possible for hackers to inject malicious code into a user’s browsing session and steal their login credentials. The bug is present in IE 11 and affects users on both Windows 7 and Windows 8.1.