OEM Updaters put PCs at risk
A study by Duo Security, Inc suggests that OEM Updaters, programs designed by PC manufacturers to update vendor-specific software, do more harm than good as they put PCs at risk.
Prebuild desktop computers, laptops and tablets ship with a set of added applications and programs more often than not. Commonly referred to as crapware, these programs add little value to the system and are often comprised of trial versions, shortcuts, and programs created by the manufacturer of the device.
Manufactures add these in part to make money but also to push their software applications on the devices.
The past has shown that the added content may not only be a nuisance to users but also put the computer at risk.
Duo Security's analysis of update programs by OEMs hammers that point home further. The company concluded that every updater that it analyzed had at least one vulnerability that allowed remote code execution to completely compromise the machine.
The company looked at devices from Acer, Asus, Dell, Hewlett-Packard and Lenovo and found a total of 12 vulnerabilities across all update programs. It looked primarily at man in the middle attacks and remote attack surfaces.
The core issues found were the following ones:
- All devices shipped at least with one preinstalled updater that is vulnerable to attacks.
- These programs often failed to make use of TLS, update integrity validations, or authenticity validations of update manifest contents.
- Some vendors make use of multiple programs to update software, with some often being more secure than others.
- Exploiting the vulnerabilities is trivial according to the researchers.
All vendors, with the exception of Dell, transferred manifest files over HTTP. Furthermore Acer and Asus don't transfer files over HTTPS at all while Dell and HP did. Lenovo was the only company in the test that had one program use no HTTPS connections at all, and another that supported HTTPS and used it.
Not using HTTPS for transfers is bad practice for obvious reasons. Since most manufacturers use HTTP when transferring manifest files -- used to inform the system of updates -- it is easy enough for attackers to manipulate those files. This in turn makes integrity checks useless as it is impossible to verify the integrity of files or updates if the authenticity of the manifest file cannot be verified.
The full research paper, Out-of-Box Exploitation of OEM Updaters, is available here.
Mitigation of issues
The main issue for users is that there is little that they can do to mitigate the issues found in these update programs short of removing these (and other vendor components) from the device.
Here are a couple of suggestions:
- Create a full system backup.
- Uninstall software programs that shipped with the PC that were added by the manufacturer of the device unless you know that you require it.
- Most of the time, those are not needed to operate the system. Programs like Decrap or Decrapifier may help somewhat, but they usually don't remove vendor software.
If you are about to buy a PC and don't want to build it yourself, try grabbing a Microsoft Signature Edition which ship without bloatware.
Closing Words
Security issues caused by manufacturers of PCs, laptops and other computing devices are a recurring scheme, and it seems unlikely that the situation will get better in the near future.
Now You: Is vendor-specific software still running on your devices?
Hmmm. On the computers I’ve administered in the past few years, I’ve used Lenovo “ThinkVantage” System Update, Dell Command Update, and some updaters from ASRock and MSI (motherboard manufacturers) whose names I’ve forgotten. I used to use Lenovo Solution Center, but that’s more of a general system check-up utility that does RAM tests, drive tests, CPU tests, graphics tests, etc., in addition to checking for driver, utility, and bloatware updates. (I believe Lenovo Solution Center uses Lenovo System Update to check for those updates.) I found the scheduled tests in Solution Center to be superfluous and annoying, and it was revealed to suffer from a couple of security flaws over the period that I used it, one of which was supposedly pretty major. The flaws were quickly patched by Lenovo, but I ended up uninstalling it and leaving it uninstalled.
With Lenovo [“ThinkVantage”] System Update, there was a terribly rough patch during the handover from IBM to Lenovo, where the utility was unusable and drivers and utilities had to be updated manually. Manual updates are (or at least were) a tedious process on Lenovo laptops, which can have dozens of different submodels with different part numbers within a given model, and you have to check each available update to make sure it is suitable for your particular submodel. Thankfully, Lenovo fixed the transition problems and System Update has been pretty reliable (though not 100%*) since then. On my R-series (“business class lite”) and T-series (“business class”) laptops, at least, the vast majority of updates it proposes are for drivers and essential utilities; I’m only aware of two arguably “bloatware” programs it has proposed, REACHit and SHAREit. (I have no clear need for them, so I didn’t install them.) Barring a confirmed major security hole, there is no way I would ever uninstall Lenovo System Update and go back to manual updating or rely on a third-party driver-checker that does not specialize in Lenovo systems.
Dell Command Update (another OEM driver and utilities updater) I can’t say much about because it hardly ever reports available updates. (It’s tempting to conclude that Dell doesn’t put much effort into improving drivers and utilities once the sale is made, or that Dell Command Update misses a lot of suitable updates, but since the computers in question are working pretty well, maybe they just did a good job of getting things mostly right out of the box.) I don’t recall that it’s ever proposed any bloatware, at least not on Latitude-series (“business class”) laptops. Here again, I’m not sure I’d want to uninstall Dell Command Update unless a major security hole were revealed.
The ASRock and MSI updaters seemed to work okay, although they proposed a LOT of bloatware, none of which I installed. Both have found a lot of updates for stuff like the BIOS, USB drivers, audio drivers, and storage drivers.
I’m glad that security specialists people are taking a closer look at OEM updating utilities (and disappointed that Duo didn’t look at Lenovo “ThinkVantage” System Update and Dell Command Update specifically), but I’m not seeing a practical alternative to keeping model-specific drivers and utilities up to date, secure, debugged, and optimally performing. “If it ain’t broke, don’t fix it” works fine a lot of the time, but sometimes BIOS, driver, and utility updates are clearly worth installing — and I don’t trust a third-party driver-checker to understand what’s suitable for my system as well as the manufacturer that made it.
*Lenovo System Update hasn’t been entirely perfect, even after the IBM-Lenovo handover problems were ironed out. My R-series submodel came with a notoriously problematic graphics chip that required a generic Nvidia driver to work stably, but Lenovo System Update persisted in proposing Lenovo’s own crash-inducing graphics driver for years after the problem was reported. On the same laptop, the Intel Matrix Rapid Storage driver (if I’m remember the name correctly) caused Windows Update (and Microsoft Installer, I think) to stop working, but Lenovo System Update kept on proposing that, as well, long after problems had been reported. But apart from those incidents — solved by hiding the bad updates — it’s worked like a charm for me (and, hopefully, reasonably securely).
I use SUMo and DUMo to ensure I get the latest updates, both are free to use and they’re small and maintained. I think that is all someone need, or you really need to visit the pages and search/update stuff yourself – which costs time and is a bit annoying e.g. on Intel page sometimes they not showing the latest versions via search. The I go to e.g. station-drivers.com and download it from there (but theoretically also risky because you need to verify it to not get infected) [so not recommend for beginners].
drop: Vulkan may be a solution soon for games? I’m no expert, just a Linux learner, maybe dual booting presents problems because of MBR and windows updates? You could install it to an external hard drive, just use ‘something other’ when installing and double check you install it to correct drive(!) :) I haven’t done it, but have been wondering if you can run Windows inside Virtual Box on Linux, (would it activate?), and then follow usual windows security/hardening routines in the virtual machine. Probably a bit slow for some games…There are some good games on Linux, but at the moment, maybe not big gaming…Check out Youtube for some videos on how to install to external drive, and take note of the good ones. (Depends on your hardware I guess, if it would work).
I know it’s off topic but I got to add in here. From somebody that has run Linux for a long time, I wouldn’t try to put Linux on the same hdd as Windows. Windows 7 really doesn’t like anything touching that MBR. 8/8.1/10 all hate it with a passion and will react accordingly. Very likely to brick it. I have bricked it several times…
Can it be done? Yes. Have I done it? Yes. Would I do it with 10? No. I’d load a usb drive if I didn’t have a second hdd. UEFI is MS attempt to stop you from dual booting IMO. They’ve been trying to take over your whole box for years and 10 is the culmination of that. Big flap in the Linux world when UEFI first came out over this very thing.
I run separate hdds for Linux and Windows and have for several years just so I don’t have any issue with it. I set my Linux hdd to boot in bios and grub will let me start any OS on any other hdd. No mbr/uefi issues that way. Trust me it’s not worth the headache…
I usually play online games, and none of them have linux versions.. I’ve googled that someone tried them on linux(using wine) and did not work. The only online game I know with linux version is Team Fortress.
I’m just hoping that games someday willl thrive in linux :)
I had bought a computer from a small business here and even though I had asked the vendor for a “naked” Windows 7 only, he brought a well partitioned PC, fully Windows Updated but equipped with I don’t know how many software. Got me annoyed and because I was in lack of the machine I refused his proposal to come back with this time a “clean” computer.
Anyway it took me half a day to remove all the applications, use several clean-up tools for remaining files & registry and even if I checked and re-checked there are likely left-overs, mainly in the registry maybe, but none is active.
Perhaps I should have done a clean install like Swamper mentions it above. But Windows 7 was not, is not XP and I hesitated to format a partitioned disk (system and data) as I was and still am not an expert…
True that all these extra applications are a pain. The whole desktop was filled with shortcuts! Many similar applications had been installed (one or the other or none but no redundancy!).
The funniest thing in my case is that I had bought a Windows 7 license when it came out (DVD right from Microsoft shipped to my address) so I asked the vendor if the license fee would be deducted from the PC price, to what he answered yes but in fact I realized later it hadn’t been deducted. So why the heck buy a license if a new computer includes the OS? This is also why I don’t care for Windows 10 “free” (should I care for Win10) : when I get a new PC (2020 likely with Win7’s end-of-cycle) it’ll have Win10 installed if I stick on with Windows or not. Why bother?
Hey Tom. I’m fairly certain my 2020 PC will be Linux. I believe it will be more mainstream then, as MS continues to alienate their customers.
@Jeff-FL:
I’m in your camp, too. I’m kind of excited by one recent revelation (to me, whose experience with Linux is quite limited) and two recent developments in the Linux world:
— According to a recent comment to a different Ghacks article,* it’s apparently possible to take a Linux system drive from one computer, stick it in a different computer, boot from it, and have it work. To Windows users who have ever had a computer die on them for non-drive reasons, this is pure catnip. Even if some post-transfer tweaking were desirable, it could permit near-immediate resumption of work on a spare computer and potentially avoid days of installation and configuration work when the dead computer is replaced.
— A stable Linux kernel (4.4) has been released that supports the “new” Intel Skylake chipsets and it has begun finding its way into various distros — Ubuntu 16.04 LTS, for sure. (That being said, it’s probably a good idea to check out real-world reports of how well specific Thunderbolt 3 and USB 3.1 peripherals actually work, same as with Windows.) Windows 7 can apparently require jumping through certain hoops to get it installed on at least some new Skylake-based computers, and once you succeed in getting it installed, I believe it won’t support UASP, Thunderbolt 3, or USB 3.1.
— The Snap installation packages offered in Ubuntu 16.04 LTS as an alternative to standard deb packages allow you to easily install the latest versions of various applications, along with the libraries they require, as isolated, standalone (quasi-“portable”?) apps, without overwriting the distro’s standard libraries and potentially breaking other applications that require those standard libraries. Again, I have limited experience with Linux, but this sounds pretty useful to me. Linux Mint is based on Ubuntu, and the rumor is that it will probably support Snap packages in the near future, starting with release 18.
*Here’s the comment, from “Dan”:
The best way to clone a hard drive (least time-consuming, error-prone) – gHacks Tech News
https://www.ghacks.net/2015/08/29/the-best-way-to-clone-a-hard-drive-least-time-consuming-error-prone/
Just wanted to comment on the “Linux” portion here. Yes, you can pull a Linux hd out of any machine and plug it into any other machine, boot up and get to work. Linux doesn’t care. Hardware drivers are built into the kernel and detect and load in when you boot up.
I’ve taken my Linux drive out of my laptop and popped it into many client laptops to prove to my clients how smart Linux is. My sister just bought a new laptop this week. I pulled her Linux SSD out of her Asus laptop and plopped it into her new Lenovo and it booted in 10 seconds to her desktop ready to go. Windows would have a fit if you tried that.
Same here .. set up my linux mint about 3 months ago (it was the day before the linux mint site was hacked). I just used a spare older machine and it sits right next to my main machine so I can play with it and learn – all in preparedness for the day this Win7 machine kicks the dust.
I agree with Valrobex. You can load linux in USB, just try it once or twice. If you’re comfortable then try dual booting the linux.
My work computer can be transitioned to linux already but my home computer sadly cannot.. because no games on linux. I heard that’s not possible because games use directx and it’s not available on linux :(
@ Jeff-FL & Tom Hawack
I’ve been using Linux Mint now for several months with Virtual Box running Win 7. Linux Mint is a somewhat easy transition from Windows, unlike some of the other Linux distros.
Likewise, you can load Mint directly from a USB to learn how to use it all the while leaving Win 7 alone. Granted, it’s somewhat slower but nonetheless usable in order to learn how to use. It’s also possible to select either one or the other OS to use by loading Mint to a separate partition on the HD and choosing one when the system boots.
I recommend that you guys start playing around with Linux (Mint) now, while Win 7 is still mainstream (2019-2020 is fast approaching…) and if I can figure it out (and I’m a complete novice compared to most readers of this blog) you guys should have no real problem.
Hi Jeff-FL, doubt is my second nature but as you I’m fairly certain as well that Windows 7 is my last part of the trip with Microsoft. Yet, should Win10 change radically before 2020 (which I doubt even more!) then, maybe, would I at least think about it.
installing windows is really easy nowadays. cd key is integrated in the motherboard. so just clean install the windows, it’s way faster and cleaner than removing the applications one by one.
windows 7 and 10 installation is very simple, less things to configure than xp.
@Mayank
Windows ISOs are available on the official site, you can Google it.
@Tom
Some manufacturers include those ‘unknown’ partitions for system recovery but I never see it that big!
@Corky
I agree. Maybe that’s one of the reasons why people choose to build their own PC now.
@Martin
I never have drive larger than 1TB so I don’t know.
I used rufus to load the ISO to USB drive and boot the drive. After that it’s really easy! That’s what I found from uncle Google :)
@george:
If you think Windows 7 is always easy to install, think again. Try installing 64-bit Windows 7 to a GPT partition greater than 2TB on a UEFI system. It involves doing this:
Creating Windows UEFI Boot-Stick in Windows – Thomas-Krenn-Wiki
https://www.thomas-krenn.com/en/wiki/Creating_Windows_UEFI_Boot-Stick_in_Windows
I installed 64-bit Windows 7 SP1 to a single-partition 4TB drive a couple of years ago, and trust me, it was no barrel of monkeys, especially since one of the paths in the above instructions (as they were written at the time, at least) didn’t match the paths on my DVD. It didn’t take me too long to figure out what path to use instead, but it was still a little frustrating. And even without the “wrong path” snag, I’d still say the install procedure was beyond the abilities and confidence level of an ordinary, non-geek user.
@george, While i get what you’re saying, that it’s easy to reinstall Windows, it’s wrong to expect end-users who may not have the technical confidence to do that, if OEM’s want “normal” people to buy their products they need to make it a pleasant and safe experience.
What OEM’s are doing is the equivalent of dealership selling cars ladened with sponsorship and added extras that while reducing the cost of the car and provide what they see as added value items are detracting from the appeal of their cars, sometimes people are happy to pay extra if it means they don’t have to spend days removing all those added extras and sponsorship signs.
Nowadays maybe but as far as I know the computer I’m referring to was bought late 2013 and I recall the vendor asking me if he should register the OS with his company’s Product Key or with mine (the one sent to me by Microsoft together with the DVD), and I chose mine. Also — but this is off-topic — my 500GB hard disk is as I said partitioned with System and Data (c: & d:) but includes a mysterious (to me) 16.54GB NTFS “unknown” partition which I believe holds all the extra applications’ installers that had been added to the OS. When I asked the vendor if I could remove this partition he told me not to without specifically explaining why. I still don’t know (yes : this is a way of asking you all!)… so all this contributed to my hesitation to perform a clean install. Also my DVD was Windows 7 and included neither the SP1 neither all the Windows Updates delivered after until my install. Since then I downloaded Windows 7SP1 from MS servers, providing my required Product Key.
Not every end user does[or can do]. Manufacturers shy away from providing ISOs; so if someone has Win 7, he doesn’t have a straightforward option. It’s easier with 8 and 10 but I’m quite many people out there might not even be aware of ISOs or Reset functions.
And people wonder why the bean counters keep recording a decline in OEM sales.
Maybe if they offered a vanilla OS without all the rubbish that comes pre-installed people would find the idea of buying a computer from them more attractive.
I’m in the PC repair business, and I can indeed confirm. I’m seeing less & less interest by people in using PC’s. You get these things from the factory and they are in dreadful condition, slowed to a crawl with rubbish bloatware.
their impression of PC’s becomes a negative thing, that they are inherently slow and that when you use them you are barraged with pop ups and ads for trialware no one asked for or wants.
Merely turning on a Windows PC for the first time is an exercise in frustration, and a terrible first impression on inexperienced PC users. You are greeted with a setup process that takes a solid hour it seems like. Then it starts hitting you with Microsoft’s terrible update system, which is slow & clunky and often fails with errors that aren’t explained.
It is no surprise to me at all that people more & more saying ‘fu*k it, I’ll just use my phone for email & facebook’.
These updaters are just a part of the crap that OEM’s force on the end users[along with all those trial versions of McAfee and what not]. There is no real benefit to using these and these should be exterminated at once.
They missed Sony. Or Vaio or whatever. Speaking of which, what’s going on with them?
I exterminate these with extreme prejudice. Even on Android if at all possible. Your not getting any features that you need and they are getting telemetry off your box. A lot of them are giving you features that are already part of the OS. So why do you need their software that you didn’t ask for?
Lot’s of times I do clean installs just to get rid of the crapware. If I want the software I will install it. It’s my PC and I decide what goes in it not somebody else. I’ve worked on low power laptops that take forever to boot just because of OEM crapware at start up.
The security ramifications they could create or do create are not worth the risk. All over the desire to advertise to you a brand-name that you apparently already bought so why the need to advertise to a convert?
sadly you can’t do it in android.. the only choice is use nexus or install custom rom :(
@george What I meant by Android was I get rid of what I can. As long as the OEM doesn’t have it set as a default app some of that stuff you were able to get rid of, not all, some…
Like @Dave said below about Sony. I’d like to know whats up with them too. They were putting out Android with no crapware on it. Don’t know about now. May be my next phone, them or a Nexus, just over all the crapware.
@george, Sorry to say that’s incorrect, Android has been a two-tier platform: there’s the Android Open Source Project, and there’s Android with Google.
https://source.android.com/
Basically people (including myself in the past) think Android with Google that comes with things like Gmail, Google Maps, and the Google Play Store, they confuse that with the AOSP.