Security

PC makers place users at risk with software updaters

Security researchers at Duo Labs have warned that PC manufacturer updaters, commonly found on new laptops, are riddled with security flaws.

The researchers said it was “far to easy” to find bugs and vulnerabilities from programmes included in hardware by the likes of Lenovo, HP, Dell, Acer and Asus.

Far too easy

Shovelware, crapware, bloatware, ‘value added’ – it goes by a lot of names – whatever you call it, most of it is junk (please, OEMs, make it stop),” said security researcher Darren Kemp.

The worst part is that OEM software is making us vulnerable and invading our privacy. Issues like Superfish and eDellRoot make us less secure and are often easy to abuse in practice. With that in mind, Duo Labs decided to dig in to see how ugly things can get,” Kemp said.

The researchers quickly discovered the presence of third-party update tools, which obviously raised concerns at the potential security risk posed to the end-user.

Updaters are an obvious target for a network attacker, this is a no-brainer,” said Kemp. “There have been plenty of attacks published against updaters and packaged management tools in the past, so we can expect OEM’s to learn from this, right?”

Unfortunately, Kemp and his fellow researchers broke all of these updaters, some of which were worse than others, but every one contained a flaw.

Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy.”

Kemp noted that while some vendors made no attempts to harden their updaters, others had tried to, but “were tripped up by a variety of implementation flaws and configuration issues”. He said: “In total, we identified and reported twelve unique vulnerabilities across all of the vendors.”

The researchers found that every laptop vendor shipped their machines “with a pre-installed updater that had at least one vulnerability, allowing arbitrary remote code execution as SYSTEM, facilitating a complete compromise of the affected machine”.

Name and shame

All laptop vendors were guilty. Dell, for example, shipped an updater that contained “one high-risk vulnerability involving lack of certificate best practices, known as eDellroot”.

HP machines meanwhile, shipped with two high-risk vulnerabilities that “could have resulted in arbitrary code execution on affected systems”. In addition, five medium-to-low risk vulnerabilities were also identified.

Asus shipped one high-risk vulnerability that could allow for arbitrary code execution as well as one “medium severity local privilege escalation”.

Acer had two high-risk vulnerabilities, while Lenovo contained one high-risk vulnerability – all of these could allow arbitrary code execution.

Last year, Lenovo caused controversy when it emerged that new laptops came bundled with adware software. It had begun shipping laptops pre-installed with software called Superfish in September 2014. But it later pledged that all of its Windows 10 devices would be shipped free of the adware.

Antony Savvas

York, UK-based Antony Savvas has been a technology journalist for 25 years and has expertise in all major areas of enterprise and consumer IT. He has worked for a number of leading technology magazines and websites and his work is syndicated across the internet. He also undertakes corporate work for some of the world's leading technology companies.

Share
Published by
Antony Savvas

Recent Posts

Flashpoint enters new chapter with global partner programme

Security vendor Flashpoint debuts partner programme following $28m funding

7 years ago

Channel partner “disconnect” hindering growth

Complex buying journeys and sprawling partner networks hampering customer experience, says Accenture

7 years ago

Cyxtera launches global channel partner programme

Datacentre provider Cyxtera says launch is “milestone in our go-to-market strategy”

7 years ago

US IT provider brings mainframe services to UK

Ensono highlights importance of mainframes still to major industries

7 years ago

VASCO and Nuvias expand distribution across EMEA

Security vendor VASCO looks to replicate UK and German set up across EMEA

7 years ago

Splunk says channel investments driving growth

Splunk details investment in Partner+ programme at .conf2017

7 years ago