Microsoft's handed down a New Year's Resolution to PC manufacturers, and it's aimed to improve the Web browsing experience for all Windows users. After several high-profile cases of OEMs preloading insecure software onto their PCs — most notably Lenovo installing Superfish — Microsoft has decided that it's going to be more proactive when it comes to policing the adware installed in Windows.
As of March 31, 2016, any pre-loaded apps that "create advertisements in browsers must only use the browsers’ supported extensibility model for installation, execution, disabling, and removal.” This new rule, which Microsoft announced in a blog post (opens in new tab) on Monday (Dec. 21) aims to stop PC makers from including software that enables a form of the "man in the middle" attack to seize control of a user's internet connection and place advertisements wherever the adware is programmed to insert them.
Lenovo had been pre-installing Superfish's Visual Discovery software — which analyzed the images loaded in Web browsers and inserted links to ads with similar images — on PCs sold between October and December 2014, and made it tough for users to get rid of the software and patch the vulnerability it created. Microsoft has stated that "Programs that will fail to comply" with its new regulation "will be detected and removed."
After being ripped in the press for the bungle, Lenovo released a tool for removing it, and Microsoft added Visual Discovery and the root certificate for Superfish to the list of malware and unwanted programs to be detected and deleted by Windows Defender and Microsoft Security Essentials. With adware installed at the browser-extension level, it should be much easier for the average user to disable or delete these unwanted system modifiers, and the programs would have much less control over the system.
More than just adware that cluttered your screen with even more junk, Visual Discovery was a danger to users because it broke the secure HTTPS connections that websites use for everything from logging into Facebook and making safe online purchases. One user even discovered that the digital certificate used to guarantee a secure connection with Bank of America (BoA) had been swapped out with Superfish's own certificate, breaking the trustworthy connection the user had with the bank.
As Microsoft said on Monday, these adware tricks "add security risk to customers by introducing another vector of attack to the system," like Superfish's root certificate, which is not as secure as BoA's own certificates. Rob Graham, the CEO of Atlanta-based Errata Security, demonstrated how he cracked the password protecting the Superfish certificate in a matter of seconds, which gave him the power to stage man-in-the-middle attacks on Lenovo PCs.
Image Credit: mozakim / Shutterstock