Updated: February 23, 2015
Affected
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
We have confirmed that PrivDog 3.0.96.0 is affected. Note that the above advisory has several inaccuracies. "The issue potentially affects a very limited number of websites." This is incorrect, as the impact of disabling SSL validation means that every website visited on a vulnerable system is affected. "In some circumstances self-signed certificates do not trigger a browser warning but encryption is still provided to the end user, hence security via encryption remains intact." While encryption may still be present between the client system and the web server, encryption is only one aspect of SSL or TLS. Authentication capabilities are completely disabled when PrivDog is installed. "The potential issue is only present if a user visits a site that actually has a self-signed certificate." This is incorrect, as any legitimate site that is visited can fall victim to a MITM attack.
Notified: February 23, 2015 Updated: February 26, 2015
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
COMODO products never distributed the mentioned edition(Desktop version of PrivDog, which has a totally different architecture). In security industry, the term "adware" is a type of malicious code which displays unwanted ads. Ad supported apps such as MSN Messenger or Skype or PrivDog are not classified as adware because 1 - The users consent is received 2 - It can be disabled or the product can be uninstalled We are an antivirus company and like other vendors, follow such methodologies while classifying it.
Updated: February 23, 2015
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
NetFilter SDK has SSL certificate validation capabilities, however the demonstration application that comes with the SDK doesn't use those capabilities.