Lenovo's Superfish bug just went from bad to worse, as researchers have turned up an easy way to take advantage of the security flaws opened up by the pre-installed software. Superfish is present on Lenovo laptops sold between September 2014 and January 2015, although Lenovo says no Thinkpads were shipped with the software. The bug has come under fire for breaking fundamental web security protocols, routing all encryption through a single password-protected certificate authority owned by a third-party adware company that makes Superfish. Anyone with the password that unlocks that certificate authority would be able to completely bypass the computer's web encryption.
This morning, researchers found and published that password, turning a security flaw into an active vector for attack. According to a post by Errata Security's Robert David Graham, the password was stored in the Superfish software's active memory and was trivial to extract.
The password was trivial to extract
The cracked certificate exposes Lenovo users to man-in-the-middle attacks, similar to those opened up by Heartbleed. Armed with this password and the right software, a coffee shop owner could potentially spy on any Lenovo user on her network, collecting any passwords that were entered during the session. The evil barista could also insert malware into the data stream at will, disguised as a software update or a trusted site.
Even worse, there's no clear fix for the issue. The software can be uninstalled (instructions are here), but that won't entirely solve the issue. Superfish sets all infected computers to run web encryption through Superfish's certificate authority, which is now easily unlocked by the published password — but simply uninstalling the software won't remove the certificate from your trusted settings. You can remove it manually once the software is out or, for the extra-careful, reinstall the operating system entirely. This test will show if your computer is affected, courtesy of researcher Filippo Valsorda.
In the meantime, anyone affected by the bug should avoid public Wi-Fi networks whenever possible, or connect through a protected VPN. In a statement earlier today, Lenovo said the company had "thoroughly investigated this technology and [does] not find any evidence to substantiate security concerns."
2/19 1:39pm: Updated to include more comprehensive instructions for removing the bug.