Security researchers at Duo Labs have warned that PC manufacturer updaters, commonly found on new laptops, are riddled with security flaws.
The researchers said it was “far to easy” to find bugs and vulnerabilities from programmes included in hardware by the likes of Lenovo, HP, Dell, Acer and Asus.
Far too easy
“Shovelware, crapware, bloatware, ‘value added’ – it goes by a lot of names – whatever you call it, most of it is junk (please, OEMs, make it stop),” said security researcher Darren Kemp.
The researchers quickly discovered the presence of third-party update tools, which obviously raised concerns at the potential security risk posed to the end-user.
“Updaters are an obvious target for a network attacker, this is a no-brainer,” said Kemp. “There have been plenty of attacks published against updaters and packaged management tools in the past, so we can expect OEM’s to learn from this, right?”
Unfortunately, Kemp and his fellow researchers broke all of these updaters, some of which were worse than others, but every one contained a flaw.
“Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy.”
Kemp noted that while some vendors made no attempts to harden their updaters, others had tried to, but “were tripped up by a variety of implementation flaws and configuration issues”. He said: “In total, we identified and reported twelve unique vulnerabilities across all of the vendors.”
The researchers found that every laptop vendor shipped their machines “with a pre-installed updater that had at least one vulnerability, allowing arbitrary remote code execution as SYSTEM, facilitating a complete compromise of the affected machine”.
All laptop vendors were guilty. Dell, for example, shipped an updater that contained “one high-risk vulnerability involving lack of certificate best practices, known as eDellroot”.
HP machines meanwhile, shipped with two high-risk vulnerabilities that “could have resulted in arbitrary code execution on affected systems”. In addition, five medium-to-low risk vulnerabilities were also identified.
Asus shipped one high-risk vulnerability that could allow for arbitrary code execution as well as one “medium severity local privilege escalation”.
Acer had two high-risk vulnerabilities, while Lenovo contained one high-risk vulnerability – all of these could allow arbitrary code execution.
Last year, Lenovo caused controversy when it emerged that new laptops came bundled with adware software. It had begun shipping laptops pre-installed with software called Superfish in September 2014. But it later pledged that all of its Windows 10 devices would be shipped free of the adware.
Security vendor Flashpoint debuts partner programme following $28m funding
Complex buying journeys and sprawling partner networks hampering customer experience, says Accenture
Datacentre provider Cyxtera says launch is “milestone in our go-to-market strategy”
Ensono highlights importance of mainframes still to major industries
Security vendor VASCO looks to replicate UK and German set up across EMEA
Splunk details investment in Partner+ programme at .conf2017
