Superfish, the adware that was being distributed by Lenovo sounded bad enough, right? Well, here’s worse: PrivDog, a tool that tampers with SSL certificates is being promoted by Comodo, a security company. PrivDog has a massive vulnerability that basically allows the same man-in-the-middle attack as the adware, Superfish. However, it is important to note that the version of PrivDog with the problem was never directly distributed by Comodo. It seems the version with the vulnerability was avoided and the previous version of the software was bundled with Comodo Internet Security. In any case association with such an incident is bound to be questionable.
Analyzing the Problem
In order to replace ads on HTTPS protected websites, PrivDog installs a self generated root certificate on the system. Thus, whenever a user tries to access a secure HTTPS website, PrivDog replaces the SSL certificate of the original website with its own local certificates signed with its own, locally installed, root certificate which is essentially a man-in-the-middle proxy. This means PrivDog can be used to decrypt and manipulate otherwise secure traffic.
According to the US Computer Emergency Readiness Team (CERT):
Adtrustmedia PrivDog is a Windows application that advertises “… safer, faster and more private web browsing.” Privdog installs a Man-in-the-Middle (MITM) proxy as well as a new trusted root CA certificate. The MITM capabilities are provided by NetFilterSDK.com. Although the root CA certificate is generated at install time, resulting in a different certificate for each installation, Privdog does not use the SSL certificate validation capabilities that the NetFilter SDK provides. This means that web browsers will not display any warnings when a spoofed or MITM-proxied HTTPS website is visited. We have confirmed that PrivDog version 126.96.36.199 is affected.
Adtrustmedia PrivDog is promoted by the Comodo Group, which is an organization that offers SSL certificates and authentication solutions.
Since it turns out that PrivDog does not properly validate the original website certificates, it could easily be exploited by an attacker and could lead to phishing. This makes the problem even more serious than the one in Superfish.
As stated by PC World:
“Superfish’s mistake was using the same root certificate across all deployments. PrivDog’s mistake is not validating certificates at all.”
Mark James, an ESET security specialist also mentioned:
“The standalone version of PrivDog, when installed, creates [a root SSL] certificate, and it will intercept every certificate it finds and then replace it with one signed by its root key. This enables it to replace adverts in web pages with its own ads from ‘trusted sources’.”
“The implications are massive. One of the biggest problems here is the fact that it will replace certificates with a valid certificate even if the original cert was not valid for any reason. This means it essentially makes your browser accept every HTTPS certificate regardless if it’s been signed by a certificate authority or not”
This major issue is present in PrivDog versions 188.8.131.52 and 184.108.40.206 and anyone using one of these versions should remove the application immediately.
The Adtrustmedia-PrivDog team have released a security advisory warning people of the vulnerability, but surprisingly have assigned it a threat level of “low”. A newer version is also available for download at the company’s site.
The PrivDog team have reported:
A maximum of 6,294 users in the USA and 57,568 users globally are potentially affected by the issue and they will be updated automatically to a patched version
It seems the problem has been patched fairly fast but fixing the reputation of the company will take much longer, especially since PrivDog’s sole purpose is ensuring user privacy and blocking unwanted ads.
Comodo on the other hand responded by saying that the affected version of PrivDog was never distributed by them. The version bundled with Comodo Internet Security was version 2 which was not affected by the vulnerability. Although this is a fair point, it is baffling that an SSL certificate company is supporting and closely related to such software. You would expect a security company to know better.
An Unpleasant Surprise
The most surprising thing in this case are the parties involved. PrivDog (an application that promises safer, faster and more trusted web browsing) and Comodo (a security company that specializes in SSL certificates). Both these companies will have an uphill battle when it comes to regaining the trust of their users. It is definitely shocking that applications that claim to improve security actually end up making their users more vulnerable and prone to attacks.
Have a nice (vulnerability-free) day!