OEM software update tools preloaded on PCs are a security mess

Researchers found remote code execution flaws in support tools from Acer, Asus, Lenovo, Dell, and HP

Serious vulnerabilities have crept into the software tools that PC manufacturers preload on Windows computers, but the full extent of the problem is much worse than previously thought.

Researchers from security firm Duo Security have tested the software updaters that come installed by default on laptops from five PC OEMs (original equipment manufacturers) -- Acer, ASUSTeK Computer, Lenovo, Dell and HP -- and all of them had at least one serious vulnerability. The flaws could have allowed attackers to remotely execute code with system privileges, leading to a full system compromise.

In most cases, the problems resulted from the OEM software updaters not using encrypted HTTPS connections when checking for or downloading updates. In addition, some updaters didn't verify that the downloaded files were digitally signed by the OEM before executing them.

The lack of encryption for the communication channel between an update tool and the OEM's servers allows attackers to intercept requests and to serve malicious software that would be executed by the tool. This is known as a man-in-the-middle attack and can be launched from insecure wireless networks, from compromised routers, or from higher up in the Internet infrastructure by rogue ISPs or intelligence agencies.

In some cases, even when the OEMs implemented HTTPS and digital signature validation, there were other oversights and flaws that could have allowed attackers to bypass the security measures, the Duo Security researchers found.

"During our research, we were often greeted by an intricate mess of system services, web services, COM servers, browser extensions, sockets, and named pipes," the researchers said in their report. "Many confusing design decisions made us wonder if projects were assembled entirely from poor StackOverflow posts."

The five companies did not immediately respond to requests for comment on the Duo Security report.

The security and behavior of the update tools were not even consistent on the same system, let alone the same manufacturer. In some cases, OEMs had different tools that downloaded updates from different sources with significantly different levels of security, the researchers found.

For example, the Lenovo Solutions Center (LSC) was one of the best software updaters tested by the researchers, with solid man-in-the-middle protections. This might be because other flaws were found in LSC several times in the past, drawing the company's attention to it.

On the other hand, the tested Lenovo systems also had a second update tool installed called UpdateAgent that had absolutely no security features and was one of the worst updaters Duo Security analyzed.

The tools preloaded by Dell, namely the Dell Update software and the update plugin of the Dell Foundation Services (DFS), were some of the most well-designed updaters, but that's only if a critical issue caused by the self-signed eDellRoot certificate, found by Duo Security back in November, is excluded.

Since then Dell seems to have beefed up its software update implementations. The Duo researchers found several other issues in the DFS version that came preinstalled on their system, but Dell silently patched them in an update in January before they even had a chance to report them.

HP's updater, the HP Support Solutions Framework (HPSSF) with its HP Download and Install Assistant component, also had decent security in place at first glance. However, the researchers found several ways to bypass some of those protections, mainly because of inconsistent implementations.

The issues with HPSSF stem from its large number of components and the different ways in which they interact with each other. Sometimes the same type of protection, like the signature verification was implemented in multiple places in different ways.

This tendency for complexity was also observed in HP's decision to install an unusually large number of support tools on its PCs.

HP "exposed the most attack surface due to the enormous number of proprietary tools included with the machine," the researchers said. "We’re not really sure what they all do and we kind of got sick of reversing them after a while, so we stopped."

The updaters that fared worse, aside from Lenovo's UpdateAgent, which the company plans to retire and remove from systems in June, were those from Acer and Asus. Not only did they lack HTTPS or file signature validation, but according to Duo Security, the issues remain unpatched.

The main advice of the Duo researchers for users is to wipe the preloaded Windows version that comes with their computer and to install a clean copy of Windows. In most cases they should be able to use their existing license key, which in newer Windows versions is detected automatically during Windows installation.

"The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant -- meaning, trivial," the Duo researchers said in a blog post.

And that's based only on an analysis of OEM update tools, not all the third-party software that vendors commonly install on new computers. Who knows what other flaws those applications might have?

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?