Mozilla has issued a hot fix for Firefox that removes the Superfish root certificate from the browser’s trusted root store. The patch only removes the certificate if the Superfish software has been removed from the machine already, however.
The Superfish adware performs SSL interception–essentially running man-in-the-middle attacks on connections to secure sites–in the name of injecting contextual ads into users’ Web sessions. The adware came pre-loaded on some Lenovo laptops shipped in the last few months, something that was revealed late last month by security researchers. Rob Graham of Errata Security quickly extracted the Superfish root certificate and cracked the password for it, which theoretically gave him the ability to perform MITM attacks against Lenovo owners infected by Superfish.
Removal tools for the Superfish adware have been published in the last week or two, and now Mozilla is pushing out a hot fix that will remove the root certificate from the browser.
“The Superfish adware distributed by Lenovo has brought the issue of SSL interception back to the headlines. SSL interception is a technique that allows other software on a user’s computer to monitor and control their visits to secure Web sites — however, it also enables attackers to masquerade as secure websites, in order to spy on users or steal personal information. Firefox is affected by Superfish, but Mozilla is deploying a hotfix to Firefox that works with other disinfection software to ensure that Firefox is disinfected as well,” Richard Barnes of Mozilla wrote in a blog post.
“Like other SSL interception software, Superfish seeks to add functionality to the Web by intercepting secure Web connections and injecting content into Web sites. In order to be able to inject content into secure connections, it adds a trusted root certificate to the Windows and Firefox root stores. With this trusted authority in place, Superfish can effectively create a fake ID for any website, so that it can convince Firefox that the browser is connected to the real website — even though it’s actually connected to Superfish.”
Mozilla officials said that the hot fix won’t remove the Superfish certificate if the adware is still installed on a laptop. Because of the way that the adware and the certificate work, if Mozilla did that, the user wouldn’t be able to access any HTTPS sites. Barnes also had some suggestions for developers considering SSL interception.
“If you want to add features to the Web, don’t intercept, make an extension. All of the major browsers offer extension frameworks. Using these toolkits helps you avoid violating users’ security, while also giving you more powerful, and easier-to-use tools than you can get from an interception system,” Barnes said.