Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/31/2016
04:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Pre-Loaded Laptop Software Comes With Security Risks

Laptops from Dell, HP, Asus, Acer and Lenovo all had at least one vulnerability that could result in complete compromise of system, Duo Security report says.

Pre-loaded software update tools installed on laptops from five major OEM PC vendors can lead to a full system compromise in less than 10 minutes, according to an investigation conducted by Duo Security.

Acer, Asus, Dell, Hewlett-Packard, and Lenovo all had at least one vulnerability that could result in a man-in-the middle attack, allowing for a complete compromise of the affected machine, say researchers at Duo Labs, the company’s research arm.

“The Original Equipment Manufacturer software landscape is complicated and includes a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivized crapware (or bloatware). Some apps do nothing more than add a shortcut to launch your web browser to a specific site,” according to the Duo Lab report "Out-of-the Box-Exploitation, A Security Analysis of OEM Updaters."

Pre-loaded OEM software has serious implications for system security. For example, in early 2015 adware called Superfish pre-installed on Lenovo laptops tampered with the Windows Platform Binary Table, allowing attackers to eavesdrop on unwitting users’ web browser traffic. Later in the year, some Dell computers became vulnerable to man-in-the-middle attacks because of an issue with the eDellRoot certificate authority.

“Every time something like this happens, we are reassured that the offending vendor of the day cares deeply about our security and privacy. Unfortunately, a cursory analysis of most OEM software reveals that very limited, if any security review was performed,” the report states.

“The thing about software updaters is that they are inherently privileged. They have to run with full system permission in order to change and modify anything,” says Darren Kemp, an analyst and author of the Duo Lab report.  “A lot of the vulnerabilities we found were easy to find and easy to exploit; it is a real enticing target for attackers.”

All vendors had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, which would allow a complete compromise of a system.  In total, Duo Labs identified and reported twelve different vulnerabilities across all of the vendors.

Key findings included:

  • Dell: one high-risk vulnerability involving lack of certificate best practices, known as eDellroot.
  • Hewlett Packard: two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium- to low-risk vulnerabilities were also identified.
  • Asus: one high-risk vulnerability that allows for arbitrary code execution as well as one medium-severity local privilege escalation.
  • Acer: two high-risk vulnerabilities that allow for arbitrary code execution.
  • Lenovo: one high-risk vulnerability that allows for arbitrary code execution.

“Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities,” the report states.

Duo Security recommends that OEMs should consider hardening their updaters through the consistent use of Transport Layer Security (TLS) for the transmission of manifests and packages/executable files. TLS would have made exploitation of the flaws discovered highly improbable, with the exception of those like the eDellRoot issue, the researchers say.

Hewlett-Packard and Lenovo responded and moved quickly to fix high-risk vulnerabilities, says Steve Manzuik, director of security researcher with Duo Security.  However, Duo Security found it “difficult to get a response” from Acer and Asus. “When we did get a response from them, just getting a follow-up or confirmation that ‘Yes we released a patch and are fixing it,’ proved to be very difficult. It required a lot of communication on our end to ensure that they are on the right track,” Manzuik says.

Short of explicitly disabling updaters and removing OEM components altogether, the end user can do very little to protect themselves from the vulnerabilities created by OEM update components. However, Duo Security did provide users with some advice:

  • Wipe any OEM system, and reinstall a clean and bloatware-free copy of Windows before the system is used. Otherwise, reducing the attack surface should be the first step in any system-hardening process.
  • Identify unwanted, unnecessary software and disable or uninstall it — less complexity generally results in fewer security flaws.
  • Purchasing Microsoft Signature Edition systems may be beneficial, but it is not guaranteed to protect end users from flaws in OEM software altogether.
  • Dell, HP, and Lenovo vendors (in specific cases) appeared to perform more security due diligence when compared to Acer and Asus. 
Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
nouvomarketing
50%
50%
nouvomarketing,
User Rank: Apprentice
6/1/2016 | 10:21:09 PM
Preloaded security threat
Does this annoy anybody else that you're brand new laptop comes with built in security risks?
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.