Lenovo's Superfish nightmare may be the tip of the iceberg

The root cause of the high-profile Superfish vulnerability suggests that this problem could be more widespread than it initially seemed.

Cloud computing security lock.
Credit: Thinkstock

The Superfish problem didn't happen in a vacuum. And it's not limited to just certain Lenovo notebooks sold between October 2014 and January 2015. This is because the chain of fools goes back to a root source at Komodia, now a poster child for what amounts to zero-days for the rest of us.

Their ploy is pretty simple: 1.) Insert and spoof root certificates, 2.) Profit! And Superfish isn't the only problem, as ArsTechnica reported, via Marc Rogers of CloudFlare. You can find the total miserable story by following Marc's link to the CERT Vulnerability notice. Drink your coffee before clicking, please, because your day just got a lot worse.

Why is it a bad day? Because if you don't zealously guard your user's sessions via insanely tight remote sessions and/or additions of breathtakingly bolted-down user policy controls, perhaps your users have installed one of eight (that we know of) applications that have, oh yeah, the same password as the spoof cert: komodia. Yes, Komodia invented the spoofing methodology that underlies eight more programs that use the same spoof, and the same misery can result—easily forged certificates with cross-site redirects that only an HSBC Swiss Bank Manager could love.

Perhaps it's improbable that your sites are affected, but a Pandora's box has been opened. Consider that if it was this easy to insert root certificates that can spoof away at will, are your cloud and other host certificates legitimate? How would you know? Are your security people taking vacations soon?

I get the nagging feeling that this might be the tip of an iceberg. How many super cracks have you seen in the past 30 days? Imagine a hapless user, hopefully NOT your CFO, opening a benign email with a payload that monkeys with his/her root cert cache, or worse, your organization's root/CA cache. It's script kiddies from there. They'll eat your lunch between cartoon shows.

Worse still, your builds might be compromised. It's something that few people check. Hey, Ernie, did you and Kate check that build for its browser root certs? Say what?

This is bad news. We need a cert for our certs. We need an impenetrable method of guaranteeing that top-level certs, or even subsidiary certs, aren't corrupted or surreptitiously appended.

One more case of coffee ought to do it, eh?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10