thanks checked out clear, nice to run the test though.

Guess if you are going to spy might as well infect all your products.

Its not a bug, its a feature!

Ah, there you are, Mr Bax... with some well deserved sarcasm for Lenovo.  Hehe! How I love it when people serve it up to companies who think they can treat their customers how ever they like.

And here I was thinking that a superfish was something marine that'd feed a family of 25 and the grandparents [both sides] with some left over.

Yeah, but what a bugger of a feature.  I've got a few worst enemies I wouldn't wish it upon.

What Lenovo has done is disgraceful, to say the least.

About those worst enemies, yeah, well maybe I would....

More news - Ad-aware and PrivDog (from the makers of Comodo) have the same vulnerability.

Another note--very many security suites perform SSL/TLS interception, at least optionally, using their own root certificate which they set up your machine to trust. I know first-hand that at least Kaspersky and NOD32 have this 'feature'.

While they may be less vulnerable to exploitation if they properly validate certificate chains before replacing them with self-signed copies and use unique private signing keys (Superfish apparently does neither), the fact remains that you are granting these apps access to any such protected information. And it is far easier for these root certs to be compromised than a real root cert as any bit of malware on your machine can do it. IMO these 'features' are not worth the risk of enabling, ever.

This is just awful...so much for Kaspersky and NOD32.

Wondering if BitDefender has this self signed certificate as well. 

I remember publishing about the "elevation of privileges' issue that AVs have in them...and how they update their definitions.

Just getting worse and worse.

Thanks, kryo.

Whoa.  If BitDefender does this, we're in a world of HIPAA hurt.

Daiwa, I've written to ask and awaiting an answer.

As for friend PrivDog (which ships with Comodo - but doesn't install a Root Certificate)...

"It is therefore highly suggested to remove the software from the system and make sure that its root certificate is gone too after the removal. If it is not, you need to remove it manually from your system which you can do in the following way:

• Tap on the Windows-key, type mmc.exe and hit enter.
• Go to File -> Add/Remove Snap-in
• Pick Certificates, click Add
• Pick Computer Account, click Next
• Pick Local Computer, click Finish
• Click OK
• Look under Trusted Root Certification Authorities -> Certificates

In case you are wondering what the connection between Comodo and PrivDog is: the CEO and founder of Comodo seems to be behind Privdog as well.

So why is this Superfish all over again? Both products add a root certificate to the user's computer and both make the user's computer insecure in the process and are used to earn revenue for the parent company. While they don't work the same, Privdog is arguably worse in terms of security than Superfish, they have been designed for the same purpose." - gHacks

Sony's rootkit, Superfish, PrivDog????  I dunno, it's getting to the point where you don't know if there's anyone left to trust in the software/hardware development world.  It's like they're all out for fast, easy money, and all too often  to the detriment of their customers. 

To say it is disappointing is very much a gross understatement. 

There really needs to be some international laws put in place to seriously penalise the companies/persons responsible for all this 'bundled' crap that nobody wants, and I'm not talking small fines, either.  If the 'crap' is potentially harmful and compromises users safety, then the fines should be in the several millions... with prison terms for the orchestrators, ring leaders, etc.

In fact, I reckon ALL OEM bloatware should be illegal... that PCs laptops and tablets come with just the operating system and no more.  If HP, Dell, Lenovo and others have additional software that customers would like to use, then make it available for download from the manufacturer's site.... NOT preinstalled.  And I say from the manufacturers sites because C-Net and others bundle various items of crap with software titles and seem to have a never ending bag of tricks with which to dupe users into installing unwanted junk.  If OEMs were to follow this practice the public outcry would be huge and they'd be forced to backtrack... if they were game to try it after this latest debacle.

Oh, and before I go, it's the fechen advertising execs.  Blame them, it's ALL their fechen fault... always seeking more ways to force more and more ads down your throat.

The products are fine otherwise--just don't use the SSL/TLS scanning options. AFAIK most AV suites have such features now.

Bitdefender does support SSL scanning in recent versions.

Does PrivDog ship with Dragon or just their firewall/AV products?  I've had Comodo firewall on a couple of my rigs in the past but uninstalled them long ago.  As for BitDefender, we use the Small Business Suite on all our workstations & laptops, and I assume your comment, kryo, that it supports SSL scanning, is a good thing and that it doesn't install a vulnerable root certificate.

EDIT: Just saw your other post, doc.

No, it does install its own root cert. Performing a man-in-the-middle attack with fake certificates is the only way that AV suites can scan SSL/TLS encrypted traffic before it hits the browser. They could scan the traffic after it hits the browser with browser extensions, but most don't seem to use that option any more. As noted earlier, it boils down to three questions:

- Do you trust the AV software/provider with access to the encrypted information?

- Does the AV software properly validate certificates before replacing them with fakes (PrivDog doesn't)?

- Does the AV software use unique root certificates for each installation so there is no 'skeleton key' for phishers to use against you (Superfish doesn't)?

The mere fact that they are doing it does mean that you are introducing an additional vulnerability to your system. So long as you consent to it and they do the second and third things above though, the scope of that vulnerability is pretty limited (malware has to be on your machine to take advantage of the fake root cert) compared to Superfish. So it mostly boils down to the question of trust and evaluating that risk against the risk of downloading malware on HTTPS connections (which depends as much on the user's browsing habits as anything).

Now, if you're using a business version I can't say whether that has it or not--I'm only talking about consumer versions here. Though even if the business version does not scan encrypted traffic, there is no guarantee your employer is not decrypting traffic itself with an impersonating proxy or other means.

I've never seen a consumer AV suite where it was forced always on (though it may be on by default). Personally, I'm more secure knowing my bank is actually my bank and just blocking scripts/embeds than I am having the AV snooping my private traffic and rendering me unable to personally validate site identities.

Same.