Top PC vendors bloatware undermine Windows 10 security

Microsoft has ploughed huge resources into securing Windows, but new research shows that five major PC makers are botching the security of pre-installed software.

Security firm Duo Labs has detailed multiple security shortcomings in the updater software bundled in machines from Windows Original Equipment Manufacturers (OEMs) Acer, Asus, Dell, HP, and Lenovo.

Software updaters are implemented by OEMs in newly sold devices so that they can update pre-installed software, sometimes called bloatware.

Duo Labs decided to look at updater implementations because these components have been targeted before, such as the Flame malware that faked Windows Update to infect other devices.

Software from Microsoft is one thing, but software from hardware makers is widely known among security researchers to be an easy target, and so Duo Security focussed on updater software from OEMs, which it said in a new report is “highly privileged, easy to exploit, and not difficult to reverse engineer.”

Worryingly, the company also said that “most OEM vendors fail badly when it comes to responding to and fixing reported vulnerabilities.”

Duo Security found a total of 12 bugs on devices from all five PC makers. It focussed on the impact of man-in-the-middle (MITM) attacks on the update software from each vendor.

The apparent worst of the lot was Asus whose “Asus Live Update” software, which is also used to distribute BIOS updates, had no security features that would harden its updater from such an attack.

For example, Asus transmitted executable update files and manifests — files that alert a system to an available update — unencrypted over HTTP rather than the secure, encrypted HTTPS protocol. It also failed to cryptographically sign its manifests, validate the code.

An MITM attacker could exploit unencrypted manifest file transmission by blocking a security update or riding on the system to install malware, Duo Security highlighted.

Acer was also called out for transmitting files and manifests unencrypted. The only vendor that sent manifests over an encrypted connection was Dell.

“Consistent use of HTTPS and certificate pinning would have significantly raised the bar to exploitation for every single vendor,” Duo Security noted.

Meanwhile, devices from HP, Dell, and Lenovo displayed problems stemming from the complexity of updaters on devices or fragmentation. Each vendor used multiple update systems, implemented these with inconsistent security features, and in some cases used the update systems to install software that had additional updater software.

Lenovo, for example, had an updater called Lenovo Solutions Centre that was hardened against MITM attacks, while another, called “UpdateAgent”, was not.

Most OEMs also failed to validate the authenticity of manifest files, which would undermine attempts to validate the integrity of a subsequent update that may have come from the vendor, but may also have been compromised.

“HP went through the effort of validating that installation commands specified in their manifest were only executed if they had a valid HP signature. What HP did not consider was that the ability to execute arbitrary applications that are signed by HP can be just as harmful,” Duo Security notes.

“Signing the manifest and subsequently validating its integrity on the client-side would have prevented most attacks we identified,” it added.

The findings may spell bad news for OEM bloatware if end-users take Duo Security’s advice. The company says that to mitigate the risks it found, there’s no option but to wipe the OEM’s system and reinstall a clean copy of Windows.

It also recommends buying Microsoft Signature Edition systems, though warns that while they are meant to be bloatware-free, they aren’t.

“Microsoft offers ‘Signature Edition’ systems … often still include specific vendor-supplied drivers, tools, and of course OEM-supplied software updaters. This makes OEM updaters a more prevalent target than many other pieces of bloatware given their potentially wider distribution,” said Duo Security.

Join the CSO newsletter!

Error: Please check your email address.

Tags Duo LabsPre-installed softwareMicrosoftasusOEMspc marketLenovoWindows 10 securityacerHPDell

More about AcerDellHPLenovoMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place