Lenovo Products and the “Superfish” Vulnerability

Friday, 20th February, 2015

You may have seen reports in the media recently about something called “Superfish” on Lenovo laptops. Before I go into details, I want to stress one thing:

According to a statement from Lenovo, “ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.” This includes all Lenovo products sold by GC Support as well as products I have recommended customers buy through Shack West Pty. Ltd.

This is a very serious vulnerability which can allow an attacker to intercept information that should be completely secure on secure websites. By this I mean websites that use an address starting with “HTTPS://” including online banking and sites accepting payment information such as credit card info.

The “Superfish” software, is intended to monitor your web browsing activity and use the information to “recommend” products similar to what you’re viewing. To say the least, including such software pre-installed on systems was a very poor decision on Lenovo’s part. This kind of software is often politely called “Potentially Unwanted Programs” or “PUPs”. Less politely it might even be called malware, adware or spyware. Lenovo has stated that they have taken measures to disable the software and provided removal instructions. They’ve also said that they have stopped installing it on all new units.

The problem is that the “bad guys” have worked out how to use the software to trick users into thinking they are talking to a secure site, all the while being able to see information that should be secure. They could potentially use this in a number of ways, including collecting details such as online banking passwords and details, or tricking you into installing more unwanted programs by making them look like they’re coming from a trusted source. Lenovo’s “deactivation” steps do not protect against these things unless users also remove the program from their systems.

Here are the essential links to information you might need if you are concerned about this issue:

Lenovo Security Advisory LEN-2015-010 – “SUPERFISH VULNERABILITY” (Includes a list of affected models.)

Lenovo “SUPERFISH UNINSTALL INSTRUCTIONS”
Note that just uninstalling from the Control Panel does NOT resolve the security threat. You must also manually remove the compromised certificate. The above link shows how.

If you have any concerns that you might be impacted by this issue, or any other security issue on your systems, please contact me for advice.

Note that this post represents my best understanding of this issue based in information provided by Lenovo and other sources. It is opinion only. No guarantees are offered or provided. Further information may reveal additional impacts and risks in the future.

GC

Comments Off on Lenovo Products and the “Superfish” Vulnerability

New Zero-Day Vulnerability Reported for Internet Explorer

Tuesday, 18th September, 2012

There’s lots of reports around today about a new vulnerability discovered affecting Microsoft’s web browser, Internet Explorer versions 6, 7, 8 and 9 running on Windows XP, Vista and 7. For the moment it seems that Internet Explorer 10 running on Windows 8 is not affected, however only those in the business and the geeks and egg-heads are likely to be using Windows 8.

If you just want to know what to do and don’t care about the terms and technicalities, just skip down to “What should I do?” now.

What is a “zero-day” vulnerability anyway?

The term zero-day refers to the amount of time that the developers of the affected software (in this case Microsoft as the developers of Internet Explorer) are aware of the problem before it is made public. Many security researchers will notify developers privately if they discover a new vulnerability before publishing their results to the wider community. This gives the developers a chance to provide a solution to the problem before the “bad guys” start using it.

However sometimes a vulnerability becomes public without any prior warning to the developers. This may be due to the discoverer being a researcher who simply publishes or sells results, rather than following a more responsible notification process. This approach may well be taken due to the financial rewards it may provide the researcher.

Or it may be that the discoverer is a “bad guy” himself and the first the public or the developer knows about the vulnerability is when malware (maybe a trojan, worm or virus) is found “infecting” computers in the general community. This appears to be the situation with the threat being reported on today.

What’s the risk?

This particular vulnerability can allow the attacker to have access to your computer equivalent to your own level of access. That means for your own computer they can probably do just about anything they want. If you’re on a company computer and don’t have full access (for example you may not be allowed to install software on it) this restriction may apply to the attacker as well. However, many attackers will be happy with this depending on what they want to do, or they may use this as a first step and use a different vulnerability to gain full access once they have limited access. The reports today suggest that the “bad guys” have adapted previously available tools to use the newly discovered vulnerability and now that the news is out this process will be much easier for the next “bad guy”.

How do I know if I am at risk?

Well, the simplest way to answer this is that if you use a Windows computer (rather than a Mac or something else) and you’re not sure then you probably are at risk. If you already use Chrome or Firefox or another safer browser, then you’re not affected by this particular vulnerability. If you’re not sure what browser you use it is almost certainly Internet Explorer.

What should I do?

The simplest way is to avoid using Internet Explorer. Click here to get Google’s Chome web browser. Follow the instructions there to download and install it and use that to look at web pages instead of Internet Explorer.

You may find that some specialised sites are fussy and only work correctly in Internet Explorer. If you need to use a site like this and it won’t work right in Chrome, then use Internet Explorer for just that site and do all your other web browsing in Chrome. As always, for security sensitive sites such as online banking, sites where you are buying online and your work webmail make sure you ALWAYS type the address yourself. DO NOT use shortcuts, favorites, bookmarks and especially never trust a link in an email, no matter how genuine it looks!

Microsoft, of course, have different advice. They suggest you install what they call their Enhanced Mitigation Experience Toolkit v3.0. However, this does not really correct the problem. It just turns up the paranoia settings in Internet Explorer so it warns you and asks permission every time any web page tries to do anything automatic. This will generate a flurry of warnings for users to answer and will probably stop many legitimate sites from working correctly, so it’s not the best solution. However with no time to act it’s about all they could do.

Hopefully Microsoft will come up with a better solution soon, however, so as always make sure you have automatic updates turned on and you allow them to install when they want to.

Of course you should make sure you keep all other relevant software up to date. Make sure you have a current and reputable anti-virus package installed (such as Kaspersky Antivirus 2012) and check that it is updating correctly and automatically. Also install updates to Adobe Reader, Adobe Flash and Sun Java when they ask. If you haven’t seen them ask lately then they may not be configured correctly to check for updates, If you’re not sure about any of this then ask for help from someone suitable. If you are a customer of GC Support (or you want to be) then ask me!

Comments Off on New Zero-Day Vulnerability Reported for Internet Explorer

That which we call a rose

Friday, 20th April, 2012

Image of an iPad showing an image of a young woman smelling a roseUPDATE: Since I wrote this Apple have changed the name of the iPad in question to the “iPad with WiFi + Cellular” in many markets including Australia. This solves the problem neatly and reduces the following article to historical interest only.

You may have heard about the fuss surrounding what Apple calls “The New iPad” and what everyone else calls the “iPad 3”. One of the main issues surrounds the device’s internet connection. All versions of the new iPad can connect via WiFi and Apple calls these “WiFi models” which is fair enough. But some can also connect via mobile phone networks and Apple calls these “WiFi + 4G” and this is where the problems arise.

“WiFi + 4G” models of the iPad actually have a radio transceiver, circuitry and programming to connect to a wide range of mobile phone networks over which internet connection can be obtained. It can connect to GSM (otherwise known as second generation or 2G networks) and EDGE (2.5G) on 850, 900, 1800 & 1900 MHz. It can connect to UMTS, HSPA, HSPA+ & DC-HSDPA (all known as 3G networks) on 850, 900, 1900 & 2100 MHz. And finally it an also connect to LTE (one kind of 4G network) on 700 & 2100 MHz only. This is great for users in the United States where popular carriers such as Verizon and AT&T use these bands for LTE/4G services since these services deliver really fast data.

Unfortunately in Australia and many other countries 4G networks (where they exist at all) are not on these same frequencies. The only available 4G network in Australia is provided by Telstra on 1800 MHz and therefore the new iPad can’t use it. Instead a new iPad in Australia connected to Telstra will connect to their 3G network known as NextG (a Telstra brandname) on 850MHz.

Because of this consumer rights advocates and the Australian Competition and Consumer Commission (the ACCC) have slammed Apple for marketing the “WiFi + 4G” model in Australia under that name, claiming it’s unfair to consumers to sell a product with 4G in the name even though it can’t connect to any 4G networks in the country. Apple, of course, take a different view. They have agreed to notify some customers about the issue, to offer refunds to some who may have been misled and to put up signage clarifying that the device can’t connect to “current Australian 4G LTE networks”. But the controversy doesn’t end here.

Although Apple’s Australian website now makes less mention of the 4G feature and carries disclaimers explaining the issue, when you click through to buy the new iPad you are still asked to choose the “WiFi” or the “WiFi + 4G” model. As a result the ACCC continues to pursue Apple over this and Apple in return have made some curious comments. One of these, according to media reports, is that various Australian 3G networks “are 4G networks in accordance with accepted industry and regulatory use of the descriptor ‘4G'”. But do we accept that a 4G network by any other name would be as fast? Why does the name matter?

I believe one of the fundamental problems is that we don’t have a good, short, generic term for a fast mobile internet connection. We got in the habit of calling such connections “3G” when that was the fastest there was. Now we have “4G” starting to appear, but it’s not universal which leads to problems like Apple’s “iPad with WiFi + 4G”. There just isn’t a name as short and easy for Apple to change it to. Even the term “mobile broadband”, which is about as succinct as it gets, is too long and unwieldy. Also the word “broadband” has so little meaning that it is next to useless.

If there was such a term maybe Apple would be pleased to use it. After all the “iPad with WiFi + 4G” can also connect to many fast (and slower) networks that aren’t 4G as you can see from the list above.

“3G” and “4G” are adjectives describing the mobile data connection, however they have come to be used as the name for the connection itself. I’m sure those who study language have a name for this phenomenon. We need a new, really short, catchy name for a mobile data or internet connection. If you have one send it to Apple and save everyone a whole lot of trouble. (And deny a few lawyers that bigger yacht they had their eyes on.)

GC

Comments Off on That which we call a rose

Explained: A Strange WinXP/IE8 issue

Friday, 13th April, 2012

Phil, also known as PryMal, who is a Tech Talk Radio listener, has sent me the following information:

I’ve tripped over this recently and in case you’d not found a fix yet, it appears as though it was a botched update from MS that pushed 64bit code for IE which starts background at boot, into 32bit operating system environments including XP: Well done Microsoft!

Which at least explains why the ctrl-alt-del works to get explore.exe running and the version of IE8 on the MS site is the NON 64bit coded 32 bit version.

Figured you might like the whole story on that if you’d not yet found it.

So that seems to explain the nature of the problem further and the method below still seems to be the way to deal with the issue.

I haven’t seen any more examples of this since the cluster I had around the time of the previous post, so I think this puts an end to this issue. Thanks to Phil for providing the detail of where Microsoft went wrong.

GC

Comments Off on Explained: A Strange WinXP/IE8 issue

A Strange WinXP/IE8 issue.

Tuesday, 24th January, 2012

I’m chasing a strange issue. A number of machines on one of my sites have been affected, however I have no reports from other sites with similar setups.

The machines are Windows XP Pro. SP3, are domain members and with Automatic Updates (direct from MS, no WSUS server) turned on. They have Office 2007 and the usual assortment of other utilities and applications such as Adobe Reader. The site uses Kaspersky Antivirus controlled by the Kaspersky Admin Kit.

The issue seems typically to present when the user arrives in the morning to a normal login prompt, and upon entering their credentials they get the following error:

With Explorer.exe out of action of course the user gets no desktop, taskbar, start menu and so on and clicking OK on the message only results in further similar messages.

The fix is to press Ctrl-Alt-Del, start the task manager, click New Task button and use the Browse dialog to locate another copy of Iertutil.dll and copy it to the C:\Windows\System32 folder. You can then restart from the Ctrl-Alt-Del dialog and the system will log in normally.

At this point IE8 is still broken so download IE8-WindowsXP-x86-ENU.exe from the MS website using another browser (or another computer) and install it. It will re-start a couple of times and then force you to do the annoying first-run tasks, but after that the system will be back to normal.

It appears like an automatic windows update is crashing and corrupting the installation of IE, however I’m not sure why. I’m also not sure why it is only affecting certain machines and not others. If you have any knowledge of this problem I would very much like to hear from you.

GC

Comments Off on A Strange WinXP/IE8 issue.

Welcome

Sunday, 13th November, 2011

Welcome to the website for my IT support business, GC Support.

It isn’t my plan that this be a highly dynamic site with lots of updates but more a place to store some useful links and downloads for use by my customers and associates.

Thank you for your interest.

GC

Comments Off on Welcome