A study by Duo Security, Inc suggests that OEM Updaters, programs designed by PC manufacturers to update vendor-specific software, do more harm than good as they put PCs at risk.
Prebuild desktop computers, laptops and tablets ship with a set of added applications and programs more often than not. Commonly referred to as crapware, these programs add little value to the system and are often comprised of trial versions, shortcuts, and programs created by the manufacturer of the device.
Manufactures add these in part to make money but also to push their software applications on the devices.
Duo Security's analysis of update programs by OEMs hammers that point home further. The company concluded that every updater that it analyzed had at least one vulnerability that allowed remote code execution to completely compromise the machine.
The company looked at devices from Acer, Asus, Dell, Hewlett-Packard and Lenovo and found a total of 12 vulnerabilities across all update programs. It looked primarily at man in the middle attacks and remote attack surfaces.
The core issues found were the following ones:
All vendors, with the exception of Dell, transferred manifest files over HTTP. Furthermore Acer and Asus don't transfer files over HTTPS at all while Dell and HP did. Lenovo was the only company in the test that had one program use no HTTPS connections at all, and another that supported HTTPS and used it.
Not using HTTPS for transfers is bad practice for obvious reasons. Since most manufacturers use HTTP when transferring manifest files -- used to inform the system of updates -- it is easy enough for attackers to manipulate those files. This in turn makes integrity checks useless as it is impossible to verify the integrity of files or updates if the authenticity of the manifest file cannot be verified.
The full research paper, Out-of-Box Exploitation of OEM Updaters, is available here.
Mitigation of issues
The main issue for users is that there is little that they can do to mitigate the issues found in these update programs short of removing these (and other vendor components) from the device.
Here are a couple of suggestions:
If you are about to buy a PC and don't want to build it yourself, try grabbing a Microsoft Signature Edition which ship without bloatware.
Security issues caused by manufacturers of PCs, laptops and other computing devices are a recurring scheme, and it seems unlikely that the situation will get better in the near future.
Now You: Is vendor-specific software still running on your devices?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.