Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

OEM software update tools preloaded on PCs are a security mess

Lucian Constantin | June 1, 2016
Researchers found remote code execution flaws in support tools from Acer, Asus, Lenovo, Dell, and HP.

Serious vulnerabilities have crept into the software tools that PC manufacturers preload on Windows computers, but the full extent of the problem is much worse than previously thought.

Researchers from security firm Duo Security have tested the software updaters that come installed by default on laptops from five PC OEMs (original equipment manufacturers) -- Acer, ASUSTeK Computer, Lenovo, Dell and HP -- and all of them had at least one serious vulnerability. The flaws could have allowed attackers to remotely execute code with system privileges, leading to a full system compromise.

In most cases, the problems resulted from the OEM software updaters not using encrypted HTTPS connections when checking for or downloading updates. In addition, some updaters didn't verify that the downloaded files were digitally signed by the OEM before executing them.

The lack of encryption for the communication channel between an update tool and the OEM's servers allows attackers to intercept requests and to serve malicious software that would be executed by the tool. This is known as a man-in-the-middle attack and can be launched from insecure wireless networks, from compromised routers, or from higher up in the Internet infrastructure by rogue ISPs or intelligence agencies.

In some cases, even when the OEMs implemented HTTPS and digital signature validation, there were other oversights and flaws that could have allowed attackers to bypass the security measures, the Duo Security researchers found.

"During our research, we were often greeted by an intricate mess of system services, web services, COM servers, browser extensions, sockets, and named pipes," the researchers said in their report. "Many confusing design decisions made us wonder if projects were assembled entirely from poor StackOverflow posts."

The five companies did not immediately respond to requests for comment on the Duo Security report.

The security and behavior of the update tools were not even consistent on the same system, let alone the same manufacturer. In some cases, OEMs had different tools that downloaded updates from different sources with significantly different levels of security, the researchers found.

For example, the Lenovo Solutions Center (LSC) was one of the best software updaters tested by the researchers, with solid man-in-the-middle protections. This might be because other flaws were found in LSC several times in the past, drawing the company's attention to it.

On the other hand, the tested Lenovo systems also had a second update tool installed called UpdateAgent that had absolutely no security features and was one of the worst updaters Duo Security analyzed.

The tools preloaded by Dell, namely the Dell Update software and the update plugin of the Dell Foundation Services (DFS), were some of the most well-designed updaters, but that's only if a critical issue caused by the self-signed eDellRoot certificate, found by Duo Security back in November, is excluded.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.