How the Top 5 PC Makers Open Your Laptop to Hackers

[Batu69]

Software makers like Microsoft put a lot of effort into ensuring that the operating system and application updates they deliver to your system are secure, so that hackers can’t hijack updates to get into your computer.

 

But it turns out that PC hardware makers are not so careful. An investigation conducted by Duo Security into the software updaters of five of the most popular PC manufacturers—HP, Dell, Acer, Lenovo, and Asus—found that all had serious security problems that would allow attackers to hijack the update process and install malicious code on victim machines.

 

Researchers at Duo Security’s Duo Labs found that all five vendors, known as OEMs or Original Equipment Manufacturers, shipped computers with pre-installed updaters that had at least one high-risk vulnerability that would give an attacker remote-code execution abilities—the ability to remotely run whatever malicious code they want on a system—and gain complete control of the system. The skill required to exploit the vulnerabilities was minimal, the researchers said in a report they’re releasing (.pdf) about their findings.

All of the sexy exploit mitigations, desktop firewalls, and safe browsing enhancements can't protect you when they're crippled with pre-installed software.

The OEM vendors all shared similar security flaws in varying degrees, such as failure to deliver updates over a secured HTTPS channel or failure to sign update files or validate them. These problems make it possible for attackers to conduct a man-in-the-middle attack to intercept update files as they’re transmitted to computers and replace them with malicious ones. The malicious files can get installed regardless of other protections a machine might have because updaters operate with the highest level of trust and privilege on machines.

 

“It doesn’t take much for one piece of software to negate the effectiveness of many, if not all defenses,” they write in their report. “All of the sexy exploit mitigations, desktop firewalls, and safe browsing enhancements can’t protect you when an OEM vendor cripples them with pre-installed software.”

 

Many of the vendors also failed to digitally sign their manifests—lists of files the updater should pull down from a server and install. Attackers can intercept unsigned manifests if they’re transmitted unsecurely; then they can either delete important update files from the manifest, preventing computer users from getting updates they need, or add malicious files to the list.

 

The latter would be effective in cases where vendors didn’t sign their update files, allowing attackers to slip in their own unsigned files. Some manifests include inline commands that are required to execute update files, but an attacker could simply add inline commands to install and launch his malicious files. In the case of HP, the researchers found they could in fact execute any administrative-level command on a system through the inline commands in its manifest, not just commands to install update files. An attacker could add a new user account to the system, for example, that gives him ongoing access to the system.

 

“There are myriad ways to abuse command-injection bugs,” says Darren Kemp, a researcher with Duo Security. “Pretty much anything an administrator can do, you could do [through the inline commands in the manifest].”

The five vendors they examined are just a sampling, but the researchers noted in their report that based on what they found, it’s unlikely that other vendors are any more secure. However, they suspect that Apple’s updater might be more locked down because the company is known for taking security seriously and for not installing third-party bloatware on its machines.

 

“This is one of the cases where that Apple walled garden works,” says Kemp. “You get [only] Apple software … so their ability to control that tightly is in this case a befit to them.”

 

PC makers install update tools on computers to deliver firmware updates—firmware is the software on a computer that boots up the machine and loads the operating system—as well as driver updates and updates to so-called bloatware that comes pre-installed on machines when consumers buy them. Bloatware can be anything from 30-day trial versions of third-party software, to special utilities the OEM offers to add functionality to your machine, to adware that sends ads to your browser as you surf the web. In some cases, the updaters direct computers to the OEM’s site to download updates, but in other cases they send computers to the third-party software maker’s site to get an update.

 

The researchers found 12 vulnerabilities across the five vendors, and every vendor had at least one high-risk vulnerability in their updater that would allow remote-code execution. In some cases, vendors installed more than one updater on machines, for different purposes, and the security of each updater was inconsistent.

 

Of the five OEMs, Dell’s updaters were the most secure—although the company doesn’t sign its manifests, it sends manifests as well as the update files themselves via secured HTTPS channels to thwart simple man-in-the-middle attacks. The Dell Update also validates that the files are signed and that the certificate used to sign them is valid.

 

Although the researchers found problems with the latest version of another updater Dell uses for Dell Foundation Services, the company apparently discovered these vulnerabilities independently and patched them before they could report them.

 

Hewlett-Packard also scored fairly well. The company transmitted updates over HTTPS and also validated updates. But it failed to sign its manifests. And in the case of one downloader component, although HP included a process for verifying signatures of files, it failed to ensure that the verification was always required. An attacker could, for example, download an unsigned malicious file to a computer and prompt the user to run the file. And since HP had a redirect problem that would allow an attacker to redirect a user’s machine to a malicious URL masquerading as a legitimate HP download URL, this would have made it easy for an attacker to download malicious code and trick the user into launching it.

 

Lenovo was a mixed bag when it came to security. It had two updaters the researchers examined—Lenovo Solutions Center and UpdateAgent. The first was one of the best updaters the researchers examined. But the second was one of the worst. Both manifests and update files got transmitted in the clear and the updater didn’t validate the signature of files.

 

Acer tried to do the right thing by signing update files, but failed to specify that the updater should verify signatures, essentially making the signing useless. It also failed to sign its manifests, allowing an attacker to add malicious unsigned files to the manifests.

 

As bad as Acer was, however, Asus was worse. Its updater was so bad the researchers called it “remote code execution as a service”—essentially a built-in service for hackers to do remote-code execution. Asus transmits unsigned manifests over HTTP instead of HTTPS. And although the manifest file was encrypted, it was encrypted with an algorithm known to be broken, and the key to unlock the file was an MD5 hash of the words “Asus Live Update.” As a result, attackers could easily intercept and unlock the list to make changes. Asus update files weren’t signed, either, and they were also transmitted via HTTP.

 

Across the board, the researchers found that if the vendors had simply used HTTPS and certificate signing in a consistent and competent manner, they would have “significantly raised the bar to exploitation.”

 

As varied as their security stances were, the vendors also varied in how easy they made it to report security problems. While Lenovo, HP and Dell, all had direct channels for reporting security problems with their software, Acer and Asus did not, leaving Duo researchers to attempt contact to their customer support lines channels multiple times via email and phone calls before they got a response.

 

How the vendors responded to the researchers also varied. HP has already patched the most egregious vulnerabilities the researchers found. Lenovo addressed its problems by simply removing the vulnerable software from affected systems. Duo reported the problems to the vendors more than four months ago, but Acer and Asus still haven’t indicated when they will fix the problems or if they will.

 

“Asus told us they were going to patch in a month, then they backed off on that after we pointed out that their planned patch was also flawed,” says Steve Manzuik, director of security research at Duo Labs. “And that’s when our communication broke down with them.”

 

Article source

[vibranium]

Over the years, I've never found a piece of OEM updating software I could trust.

 

The first action I recommend for OEM laptops: wipe clean, install plain vanilla OS.

 

 

 

[CODYQX4]

.

[steven36]

2 hours ago, CODYQX4 said:

Agreed. OEM Software is almost universally inferior garbage, buggy, badly updated, inconsistent filler.

 

I nuke any PC that isn't 100% clean install and go from there.

You always prated windows though right? so easy for pirates to say this,  before windows 10 wiping a pc could have caused you to lose windows activation on a OEM pc now days  they dont even send you a windows DVD with a key any more. Recovery DVD you make will just be a image of the way it was when you bought  it . 

5 hours ago, Batu69 said:

Of the five OEMs, Dell’s updaters were the most secure—although the company doesn’t sign its manifests, it sends manifests as well as the update files themselves via secured HTTPS channels to thwart simple man-in-the-middle attacks. The Dell Update also validates that the files are signed and that the certificate used to sign them is valid.

 

Although the researchers found problems with the latest version of another updater Dell uses for Dell Foundation Services, the company apparently discovered these vulnerabilities independently and patched them before they could report them.

I owned like 3 dells while they have good  updates. But most any of there stuff can be downloaded from there site  . I would not recommend to keep much stuff on a DELL Oem a lot of  stuff that can be replaced with free programs mostly  unless you're and advanced  user and know how to  control the dell software from calling home to dell and know how  kill there Dell Foundation software processes when not using it  it just uses up not needed process .

[CODYQX4]

.

[steven36]

23 minutes ago, CODYQX4 said:

You can download the ISO right of MS site though, no problem, and it will reinstall the OEM SLP 3.0 key right of the BIOS and reactivate when it gets internet access.

 

No piracy necessary at all. For Windows 7, with the right tools you can dump the cert and key.

 

None of it is noob friendly but you don't have to bootleg Windows just to get a clean install, but there have always been hoops to jump through.

 

For Windows 8 and up, If the OEM hasn't molested the built-in recovery image, you don't even need the ISO and can simply hit Reset this PC. I'd wager that most OEMs have, though.

I think you can also just hit reset  on windows 8.1 and do it this way but you will lose any back up software that comes with it ..I never bothered to clean install Windows 8 or my Windows 8.1 PC  because i wanted to keep my factory recovery software on my  dell i just add it to prcess lasso to kill the process and take it off blacklist if need it . .   I'ts very easy to uninstall OEM crap  and  just download  updates like firmware and  drivers and stuff from the vendors site . Its like mine if i update to windows 10  i have go get drivers from dell for my audio and stuff  there not stock reaktek drivers.

[CODYQX4]

.

[steven36]

29 minutes ago, CODYQX4 said:

If the OEM used a second partition, it's still there, though I did have a laptop where they had a custom MBR to boot into it so you had to be careful.

 

At least on 10, every laptop I see has 2 partitions and it asks if I want to nuke the whole think or just C:.

this only helps if  if nothing happens to you're  HHD like a fool  i didn't make a recovery DVD For my Windows 8  but it did have Windows 10 installed on it and  after I replaced HHD  now i would have to call Microsoft to activate windows 8.1 . I'm not putting Windows 10 back on it maybe it would still work?   Because AMD suck at making drivers and if i did id rather buy a new HHD if i done this, so i just slapped  Linux on it only takes 20 minutes  since i was dual booting Linux with Windows 10 before anyways. I have a new Dell  with the factory install of Widows 8.1  i have it fixed  the way i want it, if it's not broke i'm not fixing it .  I most the time wait tell things mess up before i  do anything I should never messed with Windows 10 and left it alone  lol.

[davmil]

Sony's the worst of the OEM gang by far with Lenovo a close 2nd.  They pretend, even to themselves, to be adding value, but their offerings are typically redundant and inferior.