At ThreatSTOP we have been reading about the Lenovo/Superfish adware security hole with amazement. Not so much at the enormous gaping hole that has been discovered (sadly that seems to be SOP at too many places) but at the way that the various parties involved have completely failed to understand that they have created such an enormous gaping hole.

Given that the creators of the hole seem to be unclear on why they have caused a problem we now believe that it is worth blocking all connections to superfish.com and its associated adware domains (e.g. best-deals-products.com ). The following IP addresses have been added to our system in the TSCriticalG feed that is present in most user policies either directly or because it is included in the BASIC policy:

  • 66.70.34.101
  • 66.70.34.103
  • 66.70.34.105
  • 66.70.34.113
  • 66.70.34.115
  • 66.70.34.117
  • 66.70.34.119
  • 66.70.34.125
  • 66.70.34.127
  • 66.70.34.129
  • 66.70.34.251

This will not stop the gaping hole (which seems to get ever more gaping as people look at it more deeply), but it should help our customers determine which computers in their network are vulnerable because they will be the ones with dozens of connections to these IP addresses. Once these devices have been identified it is critical to both uninstall the software and verify that the offending root certificate(s) is removed from them.