Tuesday, 24 February 2015

Privdog Software Worse Than Superfish Adware

After computer manufacturer Lenovo appears to combine security provider Comodo adware with its own software SSL traffic intercepted, only the impact is much greater than with Lenovo's Superfish was. That says researcher Hanno Bock . Comodo is known software like Comodo Internet Security and Comodo Dragon Browser. With some of the programs PrivDog-adware is included.

Like Superfish intercepted PrivDog HTTPS traffic to inject ads from "reliable partners". Late last year, the ability to filter HTTPS traffic was already on the forum Comodo discussed . The software is after Superfish scandal now in the spotlight. A user decided because Superfish a test page to do, which warns users if their HTTPS connection is manipulated. Although the user is not used Superfish he got a warning. Then this user reported on Hacker News that the possible was the PrivDog-adware.

PrivDog not have the same vulnerability as Superfish, using a weak certificate and a weak password to protect the private key of the certificate, but one which is many times as possible according to Bock. Although Superfish same certificate and key used for all installations, PrivDog makes for each installation a separate key and certificate. The biggest problem is that each certificate PrivDog intercepted and replaced by a self-signed certificate.

It is also about certificates that were not valid in the first place. As a result, the browser will accept HTTPS each certificate that is, whether by a Certificate Authority (CA) is signed or not. "We are still trying to find out the details, but it looks bad," Bock says. The researcher also finds it strange that Comodo, which is itself a CA bundle adware with their own software. "If the CA would be their job to protect HTTPS, not break," the researcher concludes.

Meanwhile warns also the CERT Coordination Center (CERT / CC) at Carnegie Mellon University for PrivDog. An attacker could according to the CERT / CC HTTPS sites spoof and intercept HTTPS traffic without users see a certificate warning.Users will also be advised to remove PrivDog. This would also be the root certificate in question to be removed.

US-CERT writes: "Adtrustmedia PrivDog is promoted by the Comodo Group, which is an organization that offers SSL certificates and authentication solutions." A variant of PrivDog that is not affected by this issue is shipped with products produced by Comodo (see below). This makes this case especially interesting because Comodo itself is a certificate authority (they had issues before). As ACLU technologist Christopher Soghoian points out on Twitter the founder of PrivDog is the CEO of Comodo. (See this blog post.)

Update/Clarification: The dangerous TLS interception behaviour is part of the latest version of PrivDog, which can be downloaded from the PrivDog webpage. Comodo Internet Security bundles an earlier version of PrivDog that works with a browser extension, so it is not directly vulnerable to this threat. According to online sources PrivDog was released in December 2014 and changed the TLS interception technology.

Update 2: Privdog published an Advisory.

No comments:

Post a Comment