Chinese computer manufacturer Lenovo (IBM’s former hardware division) is making headlines this month, but not the kind that most companies covet. Until as recently as January 2015, Lenovo has shipped a large number of computers with pre-installed software from adware company Superfish. In and of itself, this isn’t an uncommon practice – hardware manufacturers commonly reduce manufacturing costs for their consumer products by striking deals with various companies who pay to have their software installed on brand-new computers. As initially reported by security researcher Marc Rogers, the Superfish partnership was a bad one for Lenovo, not only because the software itself was already notorious for being adware, but also because it compromises the built-in security of your computer’s SSL protocols to do its dirty work. Lenovo initially tried to downplay the problem, but pressure from the security community and the resulting media attention has since caused Lenovo to reverse its position 180 degrees. The CTO apologized in an open letter, and the company has issued a fix that completely removes the vulnerable software.
What this means for you:
Unless you are really into the technical details, the “what” and “how” of the Superfish vulnerability is much less important than the “why” and the “who”. In this case, we know why Lenovo installed Superfish – presumably they benefitted financially in some fashion. The real problem behind this fiasco is that Lenovo (a “trusted” brand – I use a Yoga 3 while I’m out seeing clients) missed the security flaws in this arguably useless piece of software and endangered thousands of its customers for no other reason than to make a buck. Can any hardware manufacturer be trusted to have our security in mind when making and selling their products? If the most recent NSA hard drive firmware scandal is to be believed, I’d say the answer is a resounding “no”. As we’ve seen with numerous other industries, when a company is held more accountable to shareholder profit (or “patriotic” duty?) than to consumer wellbeing, the only person we can trust is ourselves.
Unfortunately, manufacturers like Lenovo, Dell and HP have made a bed that is now very uncomfortable in which to lie. Their practice of installing “bloatware” on their equipment have driven prices down to a level that may be very difficult to maintain if they can’t lean on the dollars gained by these pre-installed software deals. At minimum, they’ll have to be much more discerning on what they pre-install, which, in turn, will drive up costs and narrow their margins even further.
Usually Apple is able to sit on the sidelines of today’s technology security circus , enjoying a (debatable) reputation for being more secure than Windows and even Android. Unfortunately, it had to step into center stage this week and own up to a security flaw in its core networking code used in both iOS and OS X. And not just a little one either: this one affects how SSL-encrypted network traffic is handled, and it affects iPhones, iPads running iOS 6 or 7, and any computer running OS X 10.9 “Mavericks”.
What this means for you:
In a nutshell, the bug essentially prevents the affected device from verifying the identity of the certificate used to guarantee the SSL encryption. When your Apple device fires up a secure connection using SSL, the first thing it’s suppose to do is check the SSL certification of the destination by verifying it’s identity. Except, in the case of the bug, it doesn’t but reports back to the device that everything is OK. This would be the equivalent of putting a blind doorman in front of your bar to check ID’s. Apple has released a patch for iOS 6 and 7, but still has not issued a fix for the OS X platform.
For now, until you verify you’ve patched your mobile device with the latest security update for your version of iOS, I recommend against using any applications that transmit confidential data (your’s or your client’s) over the internet. On the desktop/laptop side, avoid using Safari until OS X is patched, and switch to a browser like Chrome or Firefox, both of which implement their own SSL code that is not affected by this flaw. To keep track of whether or not Apple has fixed this hole, you can visit: http://hasgotofailbeenfixedyet.com/
Update: As of Feb 25, Apple has issued a patch for OS X 10.9. Make sure your Apple devices update to the latest version of their corresponding operating system.