Microsoft has ploughed huge resources into securing Windows, but new research shows that five major PC makers are botching the security of pre-installed software.
Security firm Duo Labs has detailed multiple security shortcomings in the updater software bundled in machines from Windows Original Equipment Manufacturers (OEMs) Acer, Asus, Dell, HP, and Lenovo.
Software updaters are implemented by OEMs in newly sold devices so that they can update pre-installed software, sometimes called bloatware.
Duo Labs decided to look at updater implementations because these components have been targeted before, such as the Flame malware that faked Windows Update to infect other devices.
Software from Microsoft is one thing, but software from hardware makers is widely known among security researchers to be an easy target, and so Duo Security focussed on updater software from OEMs, which it said in a new report is “highly privileged, easy to exploit, and not difficult to reverse engineer.”
Worryingly, the company also said that “most OEM vendors fail badly when it comes to responding to and fixing reported vulnerabilities.”
Duo Security found a total of 12 bugs on devices from all five PC makers. It focussed on the impact of man-in-the-middle (MITM) attacks on the update software from each vendor.
The apparent worst of the lot was Asus whose “Asus Live Update” software, which is also used to distribute BIOS updates, had no security features that would harden its updater from such an attack.
For example, Asus transmitted executable update files and manifests — files that alert a system to an available update — unencrypted over HTTP rather than the secure, encrypted HTTPS protocol. It also failed to cryptographically sign its manifests, validate the code.
An MITM attacker could exploit unencrypted manifest file transmission by blocking a security update or riding on the system to install malware, Duo Security highlighted.
Acer was also called out for transmitting files and manifests unencrypted. The only vendor that sent manifests over an encrypted connection was Dell.
“Consistent use of HTTPS and certificate pinning would have significantly raised the bar to exploitation for every single vendor,” Duo Security noted.
Meanwhile, devices from HP, Dell, and Lenovo displayed problems stemming from the complexity of updaters on devices or fragmentation. Each vendor used multiple update systems, implemented these with inconsistent security features, and in some cases used the update systems to install software that had additional updater software.
Lenovo, for example, had an updater called Lenovo Solutions Centre that was hardened against MITM attacks, while another, called “UpdateAgent”, was not.
Most OEMs also failed to validate the authenticity of manifest files, which would undermine attempts to validate the integrity of a subsequent update that may have come from the vendor, but may also have been compromised.
“HP went through the effort of validating that installation commands specified in their manifest were only executed if they had a valid HP signature. What HP did not consider was that the ability to execute arbitrary applications that are signed by HP can be just as harmful,” Duo Security notes.
“Signing the manifest and subsequently validating its integrity on the client-side would have prevented most attacks we identified,” it added.
The findings may spell bad news for OEM bloatware if end-users take Duo Security’s advice. The company says that to mitigate the risks it found, there’s no option but to wipe the OEM’s system and reinstall a clean copy of Windows.
It also recommends buying Microsoft Signature Edition systems, though warns that while they are meant to be bloatware-free, they aren’t.
“Microsoft offers ‘Signature Edition’ systems … often still include specific vendor-supplied drivers, tools, and of course OEM-supplied software updaters. This makes OEM updaters a more prevalent target than many other pieces of bloatware given their potentially wider distribution,” said Duo Security.