Reality check. Its “far too easy” to break OEM updaters, and every one tested by Duo Labs contained a vulnerability
Security researchers at Duo Labs have warned that PC manufacturer updaters commonly found on new laptops, are riddled with security flaws.
The researchers said it was “far to easy” to find bugs and vulnerabilities from programmes included in hardware by the likes of Lenovo, HP, Dell, Acer and Asus.
Far Too Easy
“Shovelware, crapware, bloatware, ‘value added’ – it goes by a lot of names – whatever you call it, most of it is junk (please, OEMs, make it stop),” said security researcher Darren Kemp.
“The worst part is that OEM software is making us vulnerable and invading our privacy. Issues like Superfish and eDellRoot make us less secure and are often easy to abuse in practice. With that in mind, Duo Labs decided to dig in to see how ugly things can get.”
The researchers quickly discovered the presence of third-party update tools, which obviously raised concerns at the potential security risk posed to the end-user.
“Updaters are an obvious target for a network attacker, this is a no-brainer,” continued Kemp. “There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM’s to learn from this, right?”
Unfortunately Kemp and his fellow researchers broke all of these updaters (some of which were worse than others, but every one contained a flaw.
“Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy.”
Kemp noted that while some vendors made no attempts to harden their updaters, others had tried to, but “were tripped up by a variety of implementation flaws and configuration issues. In total, we identified and reported twelve unique vulnerabilities across all of the vendors,” wrote Kemp.
The researchers found that every laptop vendor shipped their machine “with a preinstalled updater that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine.”
Furthermore, the found that laptop vendors often failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents. They also discovered that some vendors had multiple software updaters for different purposes and different implementations; some more secure than others.
“The large attack surface presented by ancillary OEM software components makes updater-specific bugs easier to exploit in practice by providing the missing pieces of the puzzle through other tools bundled with their systems,” warned Duo Labs.
Name And Shame
“The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant – meaning, trivial,” wrote Kemp.
And to make matters worse, all laptop vendors were guilty. Dell for example shipped an updater that contained “one high-risk vulnerability involving lack of certificate best practices, known as eDellroot.”
HP machines meanwhile shipped with two high-risk vulnerabilities that “could have resulted in arbitrary code execution on affected systems. In addition, five medium-to-low risk vulnerabilities were also identified.”
Asus meanwhile shipped one high-risk vulnerability that could “allow for arbitrary code execution as well as one medium severity local privilege escalation.”
Acer had two high-risk vulnerabilities, while Lenovo contained one high-risk vulnerability – all of these could allow arbitrary code execution.
Last year Lenovo caused controversy when it emerged that new laptops came bundled with adware software. It had begun shipping laptops pre-installed with software called Superfish in September 2014, but in 2015 pledged that all its Windows 10 devices would be shipped free from the adware.
Samsung also landed itself in hot water last year when an independent Microsoft engineer alleged that Samsung’s PC software updater was deliberately blocking Windows Update from automatically installing patches and other upgrades, potentially exposing users to hackers and malware.
Samsung however rejected the allegation, and told TechWeekEurope at the time that it provides users with a choice of whether or not to enable Windows Update.
Take our hacking and viruses quiz here!