Microsoft helps out partner Lenovo, deletes Superfish 'crapware' and rogue cert

20.02.2015
Microsoft today updated its free Windows Defender and Security Essentials antivirus programs with a signature that sniffs out and deletes the rogue certificate linked to Superfish Visual Discovery, the "crapware" that blew up in Lenovo's face this week.

The signature, pegged Trojan:Win32/Superfish.A, scrubs a Windows PC of both the Superfish program and the self-signed certificate used to intercept secured traffic, according to Filippo Valsorda, a systems engineer at CloudFlare, a California security firm.

Microsoft confirmed that the signature cleaned Lenovo PCs of Superfish, but was not immediately able to say the same about the certificate.

Lenovo has taken a pounding this week for pre-loading Superfish onto many of its consumer PCs during a four-month stretch last year.

To serve ads on encrypted websites, Superfish installed a self-signed root certificate into the Windows certificate store, then resigned all certificates presented by domains using HTTPS. That meant a browser trusted all the fake certificates generated by Superfish, which was effectively conducting a classic "man-in-the-middle" (MITM) attack able to spy on supposedly secure traffic between a browser and a server.

At that point, all hackers needed to do was crack the password for the Superfish certificate to launch their own MITM attacks by, for example, duping Lenovo PC users into connecting to a malicious Wi-Fi hotspot in a public place, like a coffee shop, airport or library.

Cracking the password was laughably easy for a professional: Researcher Robert Graham, the CTO of Errata Security, outlined how he did it in a Thursday blog post.

Although Lenovo published instructions for manually removing Superfish and deleting the certificate, and promised to come up with a cleaning tool of its own, the latter has yet to appear. The Chinese OEM (original equipment manufacturer), the world's largest maker and seller of personal computers, also said it was looking for ways to deliver the tool as an automatic patch, possibly through partners such as Microsoft and McAfee, instead of relying on users to download it from its website.

The new signature may have been Microsoft's response to Lenovo's plea. Because anti-malware vendors have been notoriously hesitant to scour OEMs' crapware from PCs, Microsoft may have sought Lenovo's approval if the latter had not reached out directly.

Microsoft added the Trojan:Win32/Superfish.A definition today to its free anti-malware programs, Windows Defender and Security Essentials. Windows Defender is the anti-malware program baked into Windows 8 and 8.1 and the most pertinent; the Lenovo notebooks infected with Superfish were all powered by Windows 8.1.

Users must run a Windows Defender scan to eliminate Superfish. They may also need to first force an update by clicking the "Update" tab, then the large "Update" button.

(www.computerworld.com)

Gregg Keizer