Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

OEM software update tools preloaded on PCs are a security mess

Lucian Constantin | June 1, 2016
Researchers found remote code execution flaws in support tools from Acer, Asus, Lenovo, Dell, and HP.

Since then Dell seems to have beefed up its software update implementations. The Duo researchers found several other issues in the DFS version that came preinstalled on their system, but Dell silently patched them in an update in January before they even had a chance to report them.

HP's updater, the HP Support Solutions Framework (HPSSF) with its HP Download and Install Assistant component, also had decent security in place at first glance. However, the researchers found several ways to bypass some of those protections, mainly because of inconsistent implementations.

The issues with HPSSF stem from its large number of components and the different ways in which they interact with each other. Sometimes the same type of protection, like the signature verification was implemented in multiple places in different ways.

This tendency for complexity was also observed in HP's decision to install an unusually large number of support tools on its PCs.

HP "exposed the most attack surface due to the enormous number of proprietary tools included with the machine," the researchers said. "We’re not really sure what they all do and we kind of got sick of reversing them after a while, so we stopped."

The updaters that fared worse, aside from Lenovo's UpdateAgent, which the company plans to retire and remove from systems in June, were those from Acer and Asus. Not only did they lack HTTPS or file signature validation, but according to Duo Security, the issues remain unpatched.

The main advice of the Duo researchers for users is to wipe the preloaded Windows version that comes with their computer and to install a clean copy of Windows. In most cases they should be able to use their existing license key, which in newer Windows versions is detected automatically during Windows installation.

"The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant -- meaning, trivial," the Duo researchers said in a blog post.

And that's based only on an analysis of OEM update tools, not all the third-party software that vendors commonly install on new computers. Who knows what other flaws those applications might have?

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.