Microsoft has taken steps to impede the next Superfish from impacting users.
Superfish was pre-installed adware found on new Lenovo laptops earlier this year. The software exposes users to man-in-the-middle attacks because of the way it injects advertisements into the browser. It comes with a self-signed root cert that generates certs for HTTPS connections, replacing existing certs with its own in the process. Attackers could take advantage of this scenario—especially after the password for the cert that shipped with Superfish was found—to listen in on encrypted communication.
Microsoft this week said it has updated its rules around adware, and now such programs that build ads in the browser are required to only use the browser’s “supported extensibility model for installation, execution, disabling and removal.” Microsoft said starting March 31, 2016 it will detect and begin removing programs that are not in compliance.
“The choice and control belong to the users, and we are determined to protect that,” wrote Barak Shein and Michael Johnson of Microsoft’s Malware Protection Center.
Lenovo quickly patched the original Superfish issue and shortly thereafter, browser makers such as Mozilla removed the root cert from Firefox’s trusted root store.
Superfish’s ability to perform SSL interception by proxy was certainly worrisome behavior from a supposedly trusted product, one that was suddenly opening the door not only to man-in-the-middle attacks, but also the manipulation of DNS settings and other network-layer attacks. Worse yet was that Superfish-like software would not trigger warnings about man-in-the-middle attacks.
“All of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser,” Microsoft said. “Our intent is to keep the user in control of their browsing experience and these methods reduce that control.”