Dear Friend of Maxthon,
This note is an update on Superfish, how it works, its relationship to Maxthon browsers and what we are doing to mitigate any issues related to it. Our engineering team has spent a good bit of time examining Superifsh and how it interacts with Maxthon.
Here is what we learned.
Superfish is malvertising software that Lenovo pro-actively pre-installed on several consumer PC product lines in 2013 and 2014. Its purpose is to control part of your web browsing and serve you advertising. It is designed to intercept all encrypted connections, things it shouldn’t be able to see. Superfish accomplishes this in an insecure way that leaves the system open to hackers or NSA-style spies. For example, it can spy on your private bank connections.
The function that intercepts and replaces encrypted connections within Superfish is known as a “SSL hijacker,” Specifically the Komodia Redirector with SSL Digestor. This SSL hijacker was created by an Israeli company called Komodia. An SSL hijacker opens up a HUGE security hole — effectively creating a ‘man in the middle’ attack on your machine. Superfish uses this hole to install its own root CA certificate in your Windows system. From that point on Superfish intercepts each SSL site certificate and swaps it out with a copy of its own that allows access to serve ads. SuperFish’s advertising works by injecting JavaScript code into web-pages. This can wreak havoc with websites, breaking them.
Even if you don’t have a Lenovo consumer PC your PC might have this vulnerability because Komodia sold this technology to other malware companies including:
- Atom Security
- Infoweise
- Komodia (KeepMyFamilySecure)
- Kurupira (Webfilter)
- Lavasoft (Ad-Aware Web Companion)
- Qustodia and Websecure LTD (Easy Hide IP Classic)
Now, Only the traffic from the browser to the SuperFish internal proxy uses the website’s certificate. The traffic on the Internet still uses the normal website’s certificate, so we can’t tell if a machine is infected by SuperFish by looking at this traffic.
However, SuperFish makes queries to additional webpages to download JavaScript.
And this is where Maxthon enters the picture.
Due to the way we handle javascript requests in our browser, Maxthon’s PC browser unintentionally triggers a false positive on the Superfish test. In most cases running the test on other browsers on your system will not. If you find yourself in a position where Maxthon is said to be insecure and Chrome (on the same machine) is not, do not worry. If you get positives from all browsers, you likely have Superfish.
To repeat: the way Maxthon browsers retrieve javascript can trigger a false positive during a Superfish detection test saying your system is at risk. Even though our browsers remain as secure as the best in the industry, we recognize the severity of this bug and have elevated it to the top of the line – P1 importance.
We are working on a fix for it as we speak and will update all affected browsers via a required browser update when complete.
In the meantime, if you have not already, please take a couple of minutes to test your Windows PC for the presence of Superfish. Use the link for a simple and fast test.
If you do determine you have Superfish, you will need to both uninstall the .exe AND manually remove the bogus CA certificate. This link will show you how remove it completely.
https://filippo.io/Badfish/removing.html
Thank-you for your continued support of Maxthon. We’ll keep you informed of any changes.
-Team Maxthon
Leave a Reply