A Malware Funnel Pre-Installed on Your PC?
The biggest security vulnerability on your desktop or laptop PC probably is not something you picked up off the Internet, or that a phisher injected into your system when you clicked on the wrong email or web link. No, it’s most likely an application that came with your computer, provided free of charge (and responsibility) by HP, Dell, Lenovo, or whatever company made your system. Here's what you need to know… |
Hey Computer Vendors, Update Your Updaters!
All Original Equipment Manufacturers (OEMs - a geeky term for computer vendors) now include at least one app generally known as an “updater.” Updaters load automatically when you boot your system and remain out of sight and mind, running in the background.
An updater monitors specified applications installed on your hard drive, checking the version of each app and automatically installing new updates to keep your system better protected against ever-changing attacks. That’s a good thing, but...
Almost all major brand OEMs are using half-baked, amateurishly written updaters that any fifth grader can exploit to run any malware he wishes on your system. Most OEMs get their updaters from third parties; therefore, few OEMs control the quality and security testing of the updater software they ship to customers. A very few OEMs write their updaters in-house, but it turns out they don’t budget enough to make these universal components secure.
Duo Labs, a security researcher and security software developer for large organizations, dug deeply into the installers packaged with desktops and laptops made by Acer, ASUS, Dell, HP, and Lenovo. What they found is scary as can be.
Every updater from every OEM included at least one critical vulnerability, one that would allow a hacker to take full control of your system and execute any malware he desires on it.
“Attack surface,” the total number of points at which a collection of software can be attacked by hackers, increases with the number of apps installed on a system. Some OEMs package more than one updater on each system, increasing the attack surface and the risk that you’ll be hacked.
Guilty, Guilty, Guilty!
All of the OEMs made poor and incomplete use of TLS, a standard encryption protocol, to protect against interception of their updaters’ data streams and potentially the injection of malware into those streams. The chart in Duo’s test summary page shows red X's where updaters fail to use TLS encryption. And as you can see, that chart has a lot of red X's.
Acer doesn’t use TLS at all. One of Lenovo’s two tested updaters doesn’t use TLS either, while the other uses it for all data communications. The inconsistency is mind-boggling; it suggests there are no security standards for updaters at all.
Every single one of the OEMs had at least one actual vulnerability in its updater(s); Duo’s researchers were able to hack their way into all of the updaters to achieve “root privileges,” the god-like power to install and run any software they wished on a target computer.
“The level of sophistication required to exploit most of the vulnerabilities we found,” writes the Duo team, “is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial.”
OEMs are hard-hit these days by plummeting desktop PC sales, now predicted to be down at the end of fiscal 2016 by 7.3% compared to 2015. But that’s no excuse for shipping products with known, serious dangers.
OEMs include these updaters (ostensibly) to keep your drivers up to date, improve security, and optimize performance. But they're vague on how they actually do the latter two. And drivers rarely need updating, so I'm left wondering if they exist more to help these companies keep tabs on the hardware they sell, and subsequently market other products to them.
What You Should Do
My advice is to uninstall any software programs that were added by the manufacturer of the device unless you know that you require it. Most of the time, those are not necessary. Open Control Panel, then click "Uninstall a program." Look for entries that include the name of your computer or printer vendor. I just found and deleted "Dell Update" and "HP Update" from my PC, and I feel fine. If you're not sure about an entry, Google the name and see what comes up. To be extra safe, make a full image backup before removing any OEM software.
The deplorable weaknesses of OEM updaters is enough to drive me to buy a “white box,” a no-name bare-bones computer built by a local guy that comes with minimal software installed; meaning, no updater containing critical vulnerabilities. That’s not the way to turn your declining businesses around, OEMs!
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 1 Jul 2016
| For Fun: Buy Bob a Snickers. |
 |
Prev Article: Free Drawing and Graphic Design Programs |
The Top Twenty |
Next Article: Geekly Update - 05 July 2016 |
 |
There's more reader feedback... See all 26 comments for this article.
Post your Comments, Questions or Suggestions
|
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- A Malware Funnel Pre-Installed on Your PC? (Posted: 1 Jul 2016)
Source: https://askbobrankin.com/a_malware_funnel_preinstalled_on_your_pc.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "A Malware Funnel Pre-Installed on Your PC?"
(See all 26 comments for this article.)Posted by:
Steve
01 Jul 2016
what about Intel's update manager?
Posted by:
Therrito
01 Jul 2016
Thank you, Bob, for this informative article. I uninstalled an HP updater for my printer.
@Lynn Dirk & @Steve - Those are very good questions. I'll check back soon to see if there is any replies.
Posted by:
Cho
01 Jul 2016
@Lynn Dirk........"Updaters" are separate functions from "system" updates.
Posted by:
Rhonda Lea Fries
01 Jul 2016
Microsoft Signature Edition (Dell laptop).
I'd never considered buying from the Microsoft store, but there was an amazing sale last Black Friday. When my new laptop showed up clean as a whistle, I started to rethink my shopping habits.
I'll probably buy from Microsoft from now on.
Posted by:
Paul
01 Jul 2016
Another reason I always clean install Windows when someone asks for help with their misbehaving OEM computer.
Posted by:
Dennis WW
02 Jul 2016
Like Glen, above, we found no updaters on our Toshiba laptop. Also, none found on a relatively new PC my son helped me purchase and put together.
Posted by:
Mike
02 Jul 2016
With such updaters deleted or turned off, how about using Secunia's (free) "Personal Software Inspector" for alerts as to when updates ARE available from software creators?
BTW, Win-10 wouldn't uninstall of either Dell updater or HP updater from my PC. It did trigger an option to turn them off - which I did.
Posted by:
Pat C.
02 Jul 2016
OMG! I will remove, via Revo Uninstaller, any and all such BS. Question! If I bought a HP multi-function printer and it has an updater, will that allow the bad guys to screw with my machine?
Posted by:
John James
02 Jul 2016
I always build my own desktops or have my computer store do it for me. $50 to my store is cheap and I get what I want with no bloat ware. One reason I don't have a functioning printer is because I don't trust their software as well.
Posted by:
Marc
03 Jul 2016
I like to use Secunia's Personal Software Inspector which is free to search for updates but I don't use the links in Secunia when updating since I'm concerned that they could include spyware in the download they link to. For example, if Secunia indicates my Java is outdated I download the update directly from Oracle rather than using the link to download in this software.
Posted by:
Rick
03 Jul 2016
So removing the poorly written updater is a good idea, but not receiving updates on software is a bad idea as none of the fixes for security issues or just plain poor code will be received. What is the real fix you recommend Bob. Secunia or is there something better.
Posted by:
Sandy
04 Jul 2016
Makes me even happier that this old woman built her own darned computer! ;-)
Posted by:
Dave L
04 Jul 2016
I agree with your hint that the OEMs, some of them, are just using the updaters to watch you for "marketing" purposes? Microsoft's Windows updates is unfortunately necessary when it comes to exploits, but 95% of the time MS gets a continuous look at ~1 billion PC users.
Even if you put Windows Updates to Never, MS still has access to your computer. That was proven when MS put Windows 10 ads on my Windows 7 and 8 PCs that had Windows Updates set to Never. I prefer to do my updates manually.
Posted by:
Bill
05 Jul 2016
What about anti-virus updaters? are they guilty as well of the same vulnerabilities?
EDITOR'S NOTE: I'm not aware of any problems there.
Posted by:
Owner of New PC
05 Jul 2016
Is removal of the Updater sufficient, or does one need to reset or restore the PC from before its first OEM update to remove compromised registry entries that gave a "Trusted Installer" too many permissions?
EDITOR'S NOTE: Removal of the installer is sufficient.
Posted by:
A
06 Jul 2016
Sad, this is what happens when we buy products that do not have iso9000 or better.
Posted by:
s
13 Jul 2016
Thanks, Bob for a very helpful article; nice to have someone watching my back!
Posted by:
Dave
17 Jul 2016
As soon as I take any new kit of of the box, I wipe the pre-installed OS and start fresh install. As well as security holes, they are often resource hogs as well. (Looking at you Acer and Dell)
Posted by:
Russ Muller
18 Jul 2016
I tried the Remo My Turbo PC and it sucks!!!!IT is not FREE, after placing it all over my PC it wanted me to pay or buy so much for 'free' downloads!!!Plus it took a LONG time to get it off.Listen folks Bob has some things right but not all the time. "I" HIGHLY recommend getting Microsoft's "Microsoft Security Essentials" I got as part of a larger package but it will remain after my M.S. "Assured Support Plan" ends. Essentials is great you can run short or long scans and get security updates from M.S. you can't beet that with a stick!!!
Posted by:
Ken Heikkila
29 Jul 2016
What about third party updaters like PSI that you have previously recommended?