Getting Superfish out of Firefox

First things first: If you are reading this post on a recent Lenovo laptop, please click the lock icon in the URL bar, then click “More Information…”.  If you see “Verified by: Superfish, Inc.”, you are infected with Superfish, and you should follow these instructions to remove it.

The Superfish adware distributed by Lenovo has brought the issue of SSL interception back to the headlines.  SSL interception is a technique that allows other software on a user’s computer to monitor and control their visits to secure Web sites — however, it also enables attackers to masquerade as secure websites, in order to spy on users or steal personal information.  Firefox is affected by Superfish, but Mozilla is deploying a hotfix to Firefox that works with other disinfection software to ensure that Firefox is disinfected as well.

Like other SSL interception software, Superfish seeks to add functionality to the Web by intercepting secure Web connections and injecting content into Web sites.  In order to be able to inject content into secure connections, it adds a trusted root certificate to the Windows and Firefox root stores.  With this trusted authority in place, Superfish can effectively create a fake ID for any website, so that it can convince Firefox that the browser is connected to the real website — even though it’s actually connected to Superfish.

This would be no worse than garden-variety adware if not for the fact that Superfish uses the same root certificate for all infected computers, and the private key for this certificate has been extracted and published to the Internet.  Using this private key, anyone on the Internet (not just Superfish) can create a fake ID that a Superfish-infected browser will accept.  So if you’re using a Superfish-infected computer to connect securely to your bank, you might actually be  connected to a criminal that is presenting a fake ID for your bank.

It appears that on affected systems (e.g., Lenovo laptops pre-loaded with Superfish), Superfish infects Firefox by adding its root certificate to the root store.  The good news is that according to research by Facebook and EFF, it appears that relatively few Firefox users have been infected.  The bad news is that some of the current disinfection tools do not disinfect Firefox.

For users that wish to ensure that they are disinfected, the best thing to do is to follow Lenovo’s instructions for removing Superfish.  This will remove Superfish entirely from the computer, including removing it from Firefox.

Some other disinfection tools will remove Superfish from Windows, but not from Firefox.  In order to ensure that these users are not vulnerable, we are deploying a hotfix today that detects whether Superfish has been removed, and if so, removes the Superfish root from Firefox.  We do not remove the root certificate if the Superfish software is still installed, since that would prevent the user from accessing any HTTPS websites.

Finally, a word to software authors who might be considering SSL interception: If you want to add features to the Web, don’t intercept, make an extension.  All of the major browsers offer extension frameworks (see these links for Firefox, Chrome, IE, Safari, and Opera).   Using these toolkits helps you avoid violating users’ security, while also giving you more powerful, and easier-to-use tools than you can get from an interception system.  The Web works better when we build it together.

18 responses

  1. Rahul Biswal wrote on :

    Recently I have updated my Firefox to its latest version 36. Its nice know that Superfish adware has infected few of the Firefox users.

    I am pretty darn sure that Mozilla team will doing their great job for making a better and secure Firefox in Future. I am loving Firefox since 2008.

    Thanks

  2. Beth wrote on :

    I use Firefox and I’m one of the unlucky ones whose computer did get infected with superfish. Bravo to the people that did have this happen to them.

  3. Jade wrote on :

    Infected? I was reading so much about Superfish – but then realized i used it- more than once. It was a useful visual search for me. I didn’t feel “Infected”, as i do not feel so with Google adwards or FB knowing where i am. It is what it is. The security breach is another issue- not sure who is to blame, but from what i read- it is not something Superfish wanted to have or knew about. I think we all went too far with burning this company. I, honestly, liked them. and since they did a lot of money, according to Inc.500 list- i guess others used them as well.

    1. Shawn wrote on :

      That exact point of view of yours is why companies like lenovo can continue to do things like this. Companies who do not respect their customers should not be held accountable. As for google adwards and FB, they do mention how they would further process your information, while it is questionable if its an ethical practice, I have some respect for those companies for not hiding these things.

      I used to be a lenovo customer, I will never use any of their products again, they have violated their customers trust.

      1. Shawn wrote on :

        should be held accountable*

    2. cipnrkorvo wrote on :

      Lenovo, for putting Superfish on their computers in the first place.

    3. Gary wrote on :

      You are clearly a paid shill working for Superfish and/or Lenovo. I’ve never seen a more obvious shill in my entire life.

    4. Amber wrote on :

      I think there are better uses of Superfish’s remaning funds other than to send out the shills. I hope you find work at a more reputable company, Jade.

  4. Simon Wright wrote on :

    Why should Firefox allow any dangerously broken HTTPS connections to succeed?

    If I see the lock symbol, I should be confident that Firefox has my back.

  5. Sivalingam Selvasekaran wrote on :

    Good work team, congrats for keep us safer. I’m a great Firefox fan for long time. The only thing that let me down is sometime I have to restart Firefox when it becomes slower due to large memory usage.

  6. bvp wrote on :

    If possible, why not make it a governed whitelist where the user will have to explicitly accept (by pw?) any additional root-certificate wanting to add itself to the list? If this could work somehow (?) I suppose it could effectively reduce any future successful infections, not only from superfish.

  7. Joe wrote on :

    Thanks

  8. Jimmy wrote on :

    I dont own a lenovo so does that mean i still might have this super fish cause i have firefox?

  9. dan wrote on :

    Firefox has the options to disable certificates but nobody checks the certificate store’s list every day just in case something’s been added.

    So here’s a suggestion for an enhancement for Firefox…

    If third party software drops an add-on into your Firefox profile then when Firefox is next started it asks if you want to enable or disable it. Perhaps the same thing could be done if a certificate is dropped into your certificate store… when Firefox is next started it could say that this certificate was installed by third party software, give some warning text about why this could be bad, and ask if you want to allow it to stay in the certificate store or wipe it.

    1. bvp wrote on :

      Yes, please! I like the idea. I applaud Mozilla for taking steps against superfish specifically, but the steps should be broadened to account for future threats as well.

  10. Bela Lubkin wrote on :

    After upgrading to FF 36.0 (on Ubuntu 12.04.2 LTS x86_64) I see “Firefox Certificate Store Hotfix 20150225.01 (disabled)” in about:addons. It is greyed out and has a Remove button but no Enable button.

    Reading the discussion on https://bugzilla.mozilla.org/show_bug.cgi?id=1136150, it looks like this is intended for Windows only; also looks like it was supposed to remove itself after initialization. Perhaps since I’m on Linux it didn’t succeed well enough to remove itself.

    The final configuration, with an extension that I didn’t install, don’t need, and can’t enable, was a bit confusing and initially worrisome until I searched around and found out what it was about.

    Would have been better if at least one of:

    (1) it never tried to install itself in the first place (since I’m not on the target OS family)
    (2) its install / init code considered “not on target OS” a “success” condition and followed through on removing itself
    (3) the “More” link, which currently reads <> added something acknowledging the situation, e.g. “<> [but if you’re going to that trouble, might as well fix it for real as in (1) or (2)]

    1. Bela Lubkin wrote on :

      Perhaps due to bootstrap.js:

      function uninstall(data, reason) { }

      1. Richard Barnes wrote on :

        Hi Bela,

        Thanks for pointing this out. If you check the bug again, it looks like it’s being worked on, and there should be a fix to the hotfix out soon!