Lavasoft Information for VU#529496
Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys
- Vendor Information Help Date Notified: 20 Feb 2015
- Statement Date: 23 Feb 2015
- Date Updated: 25 Feb 2015
Here's the official statement from the company (on our website), announcing the
updated release which is now live:
* For the past year, Lavasoft was developing and testing a new security feature in Ad-Aware Web Companion to scan and eliminate malicious content/advertising in HTTPS traffic, including content injected by internet proxies installed on the PC.
* This functionality was implemented with one of Komodia's public SDKs (the SSL Digestor). At no point was any encrypted information collected or analyzed. All analysis of incoming traffic to eliminate security risks was performed on the end-user's PC.
* Several weeks prior to the public announcement of the root CA certificate vulnerability, and upon consultation with our partners and evaluation of the risks/benefits, Lavasoft took the decision to remove the functionality that required the SSL Digestor.
* Lavasoft's most recent release of Ad-Aware Web Companion (released on February 18th 2015) does not include this capability, but we have confirmed that the compromised component of the Komodia SSL Digestor is still present. A new release of Web Companion will be issued imminently to correct this, with all end-users being notified of the update via the product. In the interim, the root CA certificate issued to "Lavasoft Limited" can be removed manually without consequences to the product.
Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 22.214.171.124 are affected.
If you have feedback, comments, or additional information about this vulnerability, please send us email.