lurkingatu2
Active Member
well it seems that Lavasoft Ad-Aware was playing around with Superfish also
from the Lavasoft facebook page
https://www.facebook.com/lavasoft.adaware
A great deal of attention has been given to recent event surrounding Superfish and Lenovo, and the resulting security vulnerability that has been exposed in a Komodia, a sub-component of Superfish’s product.
Lavasoft takes security issues very seriously, and would like to take a moment to explain to its users who are naturally concerned by the overlap between Lavasoft and Komodia.
Background and Recent Events:
• Komodia delivers a collection of utility SDKs for scanning and intercepting internet traffic on a user’s PC.
• Applications using Komodia SDKs include ad injectors, parental control services, and security products such as Ad-Aware Web Companion.
• One of the technologies used by Komodia to inspect HTTPS (SSL-encrypted) web traffic is a root certificate.
• The private key of this certificate was compromised, creating a security risk that can be exploited by another program running on the same PC.
Key Facts:
• For the past year, Lavasoft was developing and testing a new security feature in Ad-Aware Web Companion to scan and eliminate malicious content/advertising in HTTPS traffic, including content injected by internet proxies installed on the PC.
• This functionality was implemented with one of Komodia’s public SDKs (the SSL Digestor). At no point was any encrypted information collected or analyzed. All analysis of incoming traffic to eliminate security risks was performed on the end-user’s PC.
• Several weeks ago, upon consultation with our partners and evaluation of the risks/benefits, prior to the public announcement of the security risk, Lavasoft took the decision to remove the functionality and eliminate the deployment of the root certificate to inspect the traffic.
• Lavasoft’s most recent release of Ad-Aware Web Companion (released on February 18th 2015) does not include this capability, but we are not yet able to confirm with certainty that the compromised component of the Komodia SSL Digestor has been removed. If still present, a new release of Web Companion will be issued promptly on Monday morning.
Lavasoft is in contact with its partners to ensure the message is properly communicated. We thank you for your patience and your understanding.
James
from the Lavasoft facebook page
https://www.facebook.com/lavasoft.adaware
A great deal of attention has been given to recent event surrounding Superfish and Lenovo, and the resulting security vulnerability that has been exposed in a Komodia, a sub-component of Superfish’s product.
Lavasoft takes security issues very seriously, and would like to take a moment to explain to its users who are naturally concerned by the overlap between Lavasoft and Komodia.
Background and Recent Events:
• Komodia delivers a collection of utility SDKs for scanning and intercepting internet traffic on a user’s PC.
• Applications using Komodia SDKs include ad injectors, parental control services, and security products such as Ad-Aware Web Companion.
• One of the technologies used by Komodia to inspect HTTPS (SSL-encrypted) web traffic is a root certificate.
• The private key of this certificate was compromised, creating a security risk that can be exploited by another program running on the same PC.
Key Facts:
• For the past year, Lavasoft was developing and testing a new security feature in Ad-Aware Web Companion to scan and eliminate malicious content/advertising in HTTPS traffic, including content injected by internet proxies installed on the PC.
• This functionality was implemented with one of Komodia’s public SDKs (the SSL Digestor). At no point was any encrypted information collected or analyzed. All analysis of incoming traffic to eliminate security risks was performed on the end-user’s PC.
• Several weeks ago, upon consultation with our partners and evaluation of the risks/benefits, prior to the public announcement of the security risk, Lavasoft took the decision to remove the functionality and eliminate the deployment of the root certificate to inspect the traffic.
• Lavasoft’s most recent release of Ad-Aware Web Companion (released on February 18th 2015) does not include this capability, but we are not yet able to confirm with certainty that the compromised component of the Komodia SSL Digestor has been removed. If still present, a new release of Web Companion will be issued promptly on Monday morning.
Lavasoft is in contact with its partners to ensure the message is properly communicated. We thank you for your patience and your understanding.
James
