OEM software update tools preloaded on PCs are a security mess

Researchers found remote code execution flaws in support tools from Acer, Asus, Lenovo, Dell, and HP

Serious vulnerabilities have crept into the software tools that PC manufacturers preload on Windows computers, but the full extent of the problem is much worse than previously thought.

Researchers from security firm Duo Security have tested the software updaters that come installed by default on laptops from five PC OEMs (original equipment manufacturers) -- Acer, ASUSTeK Computer, Lenovo, Dell and HP -- and all of them had at least one serious vulnerability. The flaws could have allowed attackers to remotely execute code with system privileges, leading to a full system compromise.

In most cases, the problems resulted from the OEM software updaters not using encrypted HTTPS connections when checking for or downloading updates. In addition, some updaters didn't verify that the downloaded files were digitally signed by the OEM before executing them.

The lack of encryption for the communication channel between an update tool and the OEM's servers allows attackers to intercept requests and to serve malicious software that would be executed by the tool. This is known as a man-in-the-middle attack and can be launched from insecure wireless networks, from compromised routers, or from higher up in the Internet infrastructure by rogue ISPs or intelligence agencies.

In some cases, even when the OEMs implemented HTTPS and digital signature validation, there were other oversights and flaws that could have allowed attackers to bypass the security measures, the Duo Security researchers found.

"During our research, we were often greeted by an intricate mess of system services, web services, COM servers, browser extensions, sockets, and named pipes," the researchers said in their report. "Many confusing design decisions made us wonder if projects were assembled entirely from poor StackOverflow posts."

The five companies did not immediately respond to requests for comment on the Duo Security report.

The security and behavior of the update tools were not even consistent on the same system, let alone the same manufacturer. In some cases, OEMs had different tools that downloaded updates from different sources with significantly different levels of security, the researchers found.

For example, the Lenovo Solutions Center (LSC) was one of the best software updaters tested by the researchers, with solid man-in-the-middle protections. This might be because other flaws were found in LSC several times in the past, drawing the company's attention to it.

On the other hand, the tested Lenovo systems also had a second update tool installed called UpdateAgent that had absolutely no security features and was one of the worst updaters Duo Security analyzed.

The tools preloaded by Dell, namely the Dell Update software and the update plugin of the Dell Foundation Services (DFS), were some of the most well-designed updaters, but that's only if a critical issue caused by the self-signed eDellRoot certificate, found by Duo Security back in November, is excluded.

Since then Dell seems to have beefed up its software update implementations. The Duo researchers found several other issues in the DFS version that came preinstalled on their system, but Dell silently patched them in an update in January before they even had a chance to report them.

HP's updater, the HP Support Solutions Framework (HPSSF) with its HP Download and Install Assistant component, also had decent security in place at first glance. However, the researchers found several ways to bypass some of those protections, mainly because of inconsistent implementations.

The issues with HPSSF stem from its large number of components and the different ways in which they interact with each other. Sometimes the same type of protection, like the signature verification was implemented in multiple places in different ways.

This tendency for complexity was also observed in HP's decision to install an unusually large number of support tools on its PCs.

HP "exposed the most attack surface due to the enormous number of proprietary tools included with the machine," the researchers said. "We’re not really sure what they all do and we kind of got sick of reversing them after a while, so we stopped."

The updaters that fared worse, aside from Lenovo's UpdateAgent, which the company plans to retire and remove from systems in June, were those from Acer and Asus. Not only did they lack HTTPS or file signature validation, but according to Duo Security, the issues remain unpatched.

The main advice of the Duo researchers for users is to wipe the preloaded Windows version that comes with their computer and to install a clean copy of Windows. In most cases they should be able to use their existing license key, which in newer Windows versions is detected automatically during Windows installation.

"The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant -- meaning, trivial," the Duo researchers said in a blog post.

And that's based only on an analysis of OEM update tools, not all the third-party software that vendors commonly install on new computers. Who knows what other flaws those applications might have?

Join the CSO newsletter!

Error: Please check your email address.

More about AcerDellHPLenovoLSCSupport Solutions

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place