Threat Intelligence

5/31/2016
04:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Pre-Loaded Laptop Software Comes With Security Risks

Laptops from Dell, HP, Asus, Acer and Lenovo all had at least one vulnerability that could result in complete compromise of system, Duo Security report says.

Pre-loaded software update tools installed on laptops from five major OEM PC vendors can lead to a full system compromise in less than 10 minutes, according to an investigation conducted by Duo Security.

Acer, Asus, Dell, Hewlett-Packard, and Lenovo all had at least one vulnerability that could result in a man-in-the middle attack, allowing for a complete compromise of the affected machine, say researchers at Duo Labs, the company’s research arm.

“The Original Equipment Manufacturer software landscape is complicated and includes a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivized crapware (or bloatware). Some apps do nothing more than add a shortcut to launch your web browser to a specific site,” according to the Duo Lab report "Out-of-the Box-Exploitation, A Security Analysis of OEM Updaters."

Pre-loaded OEM software has serious implications for system security. For example, in early 2015 adware called Superfish pre-installed on Lenovo laptops tampered with the Windows Platform Binary Table, allowing attackers to eavesdrop on unwitting users’ web browser traffic. Later in the year, some Dell computers became vulnerable to man-in-the-middle attacks because of an issue with the eDellRoot certificate authority.

“Every time something like this happens, we are reassured that the offending vendor of the day cares deeply about our security and privacy. Unfortunately, a cursory analysis of most OEM software reveals that very limited, if any security review was performed,” the report states.

“The thing about software updaters is that they are inherently privileged. They have to run with full system permission in order to change and modify anything,” says Darren Kemp, an analyst and author of the Duo Lab report.  “A lot of the vulnerabilities we found were easy to find and easy to exploit; it is a real enticing target for attackers.”

All vendors had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, which would allow a complete compromise of a system.  In total, Duo Labs identified and reported twelve different vulnerabilities across all of the vendors.

Key findings included:

  • Dell: one high-risk vulnerability involving lack of certificate best practices, known as eDellroot.
  • Hewlett Packard: two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium- to low-risk vulnerabilities were also identified.
  • Asus: one high-risk vulnerability that allows for arbitrary code execution as well as one medium-severity local privilege escalation.
  • Acer: two high-risk vulnerabilities that allow for arbitrary code execution.
  • Lenovo: one high-risk vulnerability that allows for arbitrary code execution.

“Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities,” the report states.

Duo Security recommends that OEMs should consider hardening their updaters through the consistent use of Transport Layer Security (TLS) for the transmission of manifests and packages/executable files. TLS would have made exploitation of the flaws discovered highly improbable, with the exception of those like the eDellRoot issue, the researchers say.

Hewlett-Packard and Lenovo responded and moved quickly to fix high-risk vulnerabilities, says Steve Manzuik, director of security researcher with Duo Security.  However, Duo Security found it “difficult to get a response” from Acer and Asus. “When we did get a response from them, just getting a follow-up or confirmation that ‘Yes we released a patch and are fixing it,’ proved to be very difficult. It required a lot of communication on our end to ensure that they are on the right track,” Manzuik says.

Short of explicitly disabling updaters and removing OEM components altogether, the end user can do very little to protect themselves from the vulnerabilities created by OEM update components. However, Duo Security did provide users with some advice:

  • Wipe any OEM system, and reinstall a clean and bloatware-free copy of Windows before the system is used. Otherwise, reducing the attack surface should be the first step in any system-hardening process.
  • Identify unwanted, unnecessary software and disable or uninstall it — less complexity generally results in fewer security flaws.
  • Purchasing Microsoft Signature Edition systems may be beneficial, but it is not guaranteed to protect end users from flaws in OEM software altogether.
  • Dell, HP, and Lenovo vendors (in specific cases) appeared to perform more security due diligence when compared to Acer and Asus. 
Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nouvomarketing
50%
50%
nouvomarketing,
User Rank: Apprentice
6/1/2016 | 10:21:09 PM
Preloaded security threat
Does this annoy anybody else that you're brand new laptop comes with built in security risks?
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.