Mozilla scrubs Superfish certificate from Firefox

Firefox update removes from the browser's repository the self-signed digital certificate implanted by Superfish

Superfish
Credit: USF&WS

Mozilla has released an update to Firefox that erases the self-signed digital certificate implanted by Superfish, the vulnerable adware that blew up in Lenovo's face a week and a half ago.

The update was issued Friday, Feb. 27.

"We are deploying a hotfix today that detects whether Superfish has been removed, and if so, removes the Superfish root from Firefox," said Richard Barnes, a Mozilla security engineer, on a company blog. "We do not remove the root certificate if the Superfish software is still installed, since that would prevent the user from accessing any HTTPS websites."

Lenovo has been vilified by some customers and security experts for bundling the Superfish Visual Discovery adware with its consumer-grade personal computers during a four-month stretch in late 2014. Superfish left a gaping hole in the company's computers: Hackers were handed ways to intercept and steal critical information, including passwords, that was not properly safeguarded by encryption.

To inject ads into other websites, including those that encrypted traffic, Superfish inserted its own SSL (Secure Socket Layer) certificate, which proved woefully insecure. Users needed to not only uninstall the program, but also delete the Superfish certificate.

Since Firefox uses its own certificate store -- unlike other browsers, such as Google's Chrome and Microsoft's Internet Explorer, it does not rely on Windows' own -- removing the rogue certificate was difficult for some users.

While Lenovo's instructions showed how to clean the Firefox certificate store, Barnes said some automated tools did not properly disinfect Mozilla's browser: hence the emergency update.

Mozilla had been working on the hotfix since Feb. 18, when news first broke about Superfish's vulnerability to abuse.

Firefox 36 with the hotfix can be downloaded from Mozilla's website. Current users can manually trigger an update by selecting "About Firefox" from the Firefox menu. Before updating, users should ensure that the Superfish software has already been uninstalled.

Also on Friday, Lenovo pledged to reduce the number of pre-loaded third-party applications on its consumer PCs, saying that it would limit so-called "bloatware" to security software, such as the 30-day trial to McAfee's antivirus suite that is now added to its systems.

This story, "Mozilla scrubs Superfish certificate from Firefox" was originally published by Computerworld.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.