No one actually likes the preloaded bloatware that comes installed on new Windows PCs, but if your computer is an Asus, Dell, Hewlett Packard, Acer or Lenovo, then that crapware can could get you hacked. In some cases, it would take less than 10 minutes for an attacker to fully compromise your PC.
You know bloatware slows down your computer, but Duo Security’s Duo Labs warned, “The worst part is that OEM software is making us vulnerable and invading our privacy.” The researchers said every one of the five major OEM PC vendors it investigated had at least one update tool as well as at least one vulnerability which a hacker could exploit for a man-in-the-middle attack, then execute code, to completely compromise the affected PC.
“Asus and Acer were the worst,” according to Steve Manzuik, Duo Security's director of security research. Asus had two different vulnerabilities. He told IBTimes, “This one had code execution that was quite obvious and easy to exploit – it literally took less than 10 minutes to attack the system using that vulnerability.” Manzuik added, “They have told us they are patching the issue, but we have still not seen a patch from it. They originally did make a patch, but then they didn't release it. We told them about the bugs over three months ago.”
Asus, which provides updates via “Asus Live Update,” is reportedly so bad that Duo Security’s “Out-of-Box Exploitation: A Security Analysis of OEM Updaters” (pdf) said it provides “attackers with functionality that can only be referred to as remote code execution as service.”
It’s not just Asus and Acer whose updaters are insecure. Duo Labs found and reported 12 different vulnerabilities across the vendors Acer, Asus, Dell, HP and Lenovo.
You may have opted for a bloatware-free PC since Microsoft’s Signature Edition PCs are not supposed to come with any pre-installed bloatware. Yet Duo Security found those systems “also often included OEM update tools, potentially making their distribution larger than other OEM software.” Signature PCs are “not guaranteed to protect end users to flaws in OEM software altogether.”
Near the end of last year, proof-of-concept code was found in the wild that could exploit Dell, Lenovo and Toshiba bloatware bugs; it put millions of users at risk. That’s not the first time and it won’t be the last. It’s a “no-brainer” that hackers would target updaters, but OEMs have failed to learn from this. Duo Security said some vendors “make no attempts to harden their updaters;” some vendors even have multiple software updaters.
All of the vendors Duo Security looked into are listed within IDC’s top five for PC shipments in the first quarter of 2016. Lenovo is on top, having shipped 12,178. HP is second with 11,603 shipments worldwide for the first quarter. Dell is third, having shipped 9,017 PCs. Asus came in fifth with 4,392 PCs shipped.
Duo Labs summarized the most notable vulnerabilities as:
- Dell, which has two updaters investigated by the researchers, has one high-risk vulnerability involving lack of certificate best practices, known as eDellroot.
- Hewlett Packard, which the researchers said fared OK in their testing compared to other vendors, has two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium-to-low risk vulnerabilities were also identified.
- Asus has one high-risk vulnerability that allows for arbitrary code execution as well as one medium severity local privilege escalation.
- Acer, which provides updates via “Acer Care Center,” has two high-risk vulnerabilities that allow for arbitrary code execution.
- Lenovo, which had two updaters examined by the researchers, has one high-risk vulnerability that allows for arbitrary code execution.
The research was conducted between October 2015 and April 2016 on 10 new Windows PCs: Lenovo Flex 3, HP Envy, HP Stream x360 (Microsoft Signature Edition), HP Stream (UK version), Lenovo G50-80 (UK version), Acer Aspire F15 (UK version), Dell Inspiron 14 (Canada version), Dell Inspiron 15-5548 (Microsoft Signature Edition), Asus TP200S and Asus TP200S (Microsoft Signature Edition).
One of the most common problems is that vendors don’t consistently use encrypted HTTPS connections to transmit manifests, packages and executables. The researchers said TLS would have made exploitation of the flaws they discovered “highly improbable, with the exception of those like the eDellRoot issue.”
The researchers recommended for OEM vendors to implement manifest signing and to properly validate signatures to ensure executables are signed by a trusted party.
Dell, HP and Lenovo vendors “appeared to perform more security due diligence when compared to Acer and Asus.” Both HP and Lenovo “moved quickly to fix high-risk vulnerabilities;” HP reportedly patched four of seven flaws and Lenovo said it would “remove the affected software from its systems starting in late June.” The Acer flaws are over 45 days old, while two Asus vulnerabilities are over 125 days old. Dell called customer security “a top priority,” fixed some flaws and said it would “continue to identify and fix outstanding flaws” after the findings are more closely examined.
Although the exploits are not floating around in the wild this time, Duo Security recommended for users to wipe any OEM systems and reinstall a clean and bloatware free copy of Windows. Uninstall bloatware and antivirus or other trialware you don’t want if you can. If not, try disabling it.