Bloatware installed by major PC manufacturers isn’t a new problem, of course, but it seems to increasingly be a security risk – stories of vulnerabilities have become more prevalent in recent times, and a new report from Duo Labs has made some worrying discoveries.
Software updaters are an obvious target for an attacker, as Duo points out in its ‘Security Analysis of OEM Updaters’ report, in which the firm carried out an investigation of the updating tools on notebooks from Acer, Asus, Dell, HP, and Lenovo. The results? 12 separate vulnerabilities were uncovered across these vendors.
Both HP and Acer updaters carried two high-risk vulnerabilities that could allow for arbitrary code execution on the host laptop, with Asus, Dell and Lenovo carrying one high-risk vulnerability.
In other words, every single manufacturer had at least one vulnerability which could allow an attacker to completely compromise the machine in question, and they could do so with relatively minimal effort (i.e. in less than 10 minutes).
That’s not a pretty security picture, and it confirms the fact that if PC manufacturers are going to include software updaters, they really must try much harder to fully secure them.
Duo Labs reported the security holes to the respective PC makers three months back in line with standard disclosure terms, so the manufacturers could fix these problems before they came to light publicly.
The firm notes that HP has fixed its vulnerabilities and Lenovo removed the software in question, which is a fix of sorts. Acer and Asus both responded to Duo, but haven’t given a timeframe for a fix yet – presumably they’ll be coming soon. Dell’s response isn’t mentioned.
Duo’s recommendation for users of laptops which haven’t fixed these issues is to “fully disable updaters and remove all third-party components to be fully protected from these vulnerabilities.”
The firm further notes: “In addition, organisations should install basic security functions, such as two-factor authentication, to ensure users are who they say they are, and turn on encryption.”