As discovered over the weekend by security researcher Filippo Valsorda (via ArsTechnica), software by the antivirus company Lavasoft, features vulnerable Komodia code (Komodia SSL Digestor) that issues root certificates allowing most browsers to trust any self-signed certificate, allowing hackers to forge trusted credentials for any HTTPS-protected webstie.
According to Valsorda, Lavasoft's Ad-aware Web Companion comes with the vulnerable code. The company says it is unable to confirm if the vulnerable Komodia code has been fully removed from the latest version of its Ad-aware Web Companion software, and will release an update if required.
On the other hand, the CEO of certificate authority Comodo (a company that Ars Technica says issues roughly one-third of the Internet's Transport Layer Security certificates) recently released PrivDog software that replaces ads with ads from trusted sources. According to Valsorda, PrivDog features code that fools most browsers into trusting any self-signed certificate, allowing for man-in-the-middle attacks that completely bypass HTTPS protection. It is said not to use Komodia's technology.
Meanwhile, Superfish CEO Adi Pinhas via email admitted to The Next Web that the company intentionally installed the root certificate authority in its Visual Browser software to "enable a search from any site" and serve better ads. The CEO went on to say the threat of the certificate was not known until security reports surfaced. Pinhas added the Superfish software is currently being used by 40 million users.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.