PC makers place users at risk with software updaters

Security researchers at Duo Labs have warned that PC manufacturer updaters, commonly found on new laptops, are riddled with security flaws.

The researchers said it was “far to easy” to find bugs and vulnerabilities from programmes included in hardware by the likes of Lenovo, HP, Dell, Acer and Asus.

Far too easy

“Shovelware, crapware, bloatware, ‘value added’ – it goes by a lot of names – whatever you call it, most of it is junk (please, OEMs, make it stop),” said security researcher Darren Kemp.

“The worst part is that OEM software is making us vulnerable and invading our privacy. Issues like Superfish and eDellRoot make us less secure and are often easy to abuse in practice. With that in mind, Duo Labs decided to dig in to see how ugly things can get,” Kemp said.

The researchers quickly discovered the presence of third-party update tools, which obviously raised concerns at the potential security risk posed to the end-user.

“Updaters are an obvious target for a network attacker, this is a no-brainer,” said Kemp. “There have been plenty of attacks published against updaters and packaged management tools in the past, so we can expect OEM’s to learn from this, right?”

Unfortunately, Kemp and his fellow researchers broke all of these updaters, some of which were worse than others, but every one contained a flaw.

“Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy.”

Kemp noted that while some vendors made no attempts to harden their updaters, others had tried to, but “were tripped up by a variety of implementation flaws and configuration issues”. He said: “In total, we identified and reported twelve unique vulnerabilities across all of the vendors.”

The researchers found that every laptop vendor shipped their machines “with a pre-installed updater that had at least one vulnerability, allowing arbitrary remote code execution as SYSTEM, facilitating a complete compromise of the affected machine”.

Name and shame

All laptop vendors were guilty. Dell, for example, shipped an updater that contained “one high-risk vulnerability involving lack of certificate best practices, known as eDellroot”.

HP machines meanwhile, shipped with two high-risk vulnerabilities that “could have resulted in arbitrary code execution on affected systems”. In addition, five medium-to-low risk vulnerabilities were also identified.

Asus shipped one high-risk vulnerability that could allow for arbitrary code execution as well as one “medium severity local privilege escalation”.

Acer had two high-risk vulnerabilities, while Lenovo contained one high-risk vulnerability – all of these could allow arbitrary code execution.

Last year, Lenovo caused controversy when it emerged that new laptops came bundled with adware software. It had begun shipping laptops pre-installed with software called Superfish in September 2014. But it later pledged that all of its Windows 10 devices would be shipped free of the adware.