A Malware Funnel Pre-Installed on Your PC?
The biggest security vulnerability on your desktop or laptop PC probably is not something you picked up off the Internet, or that a phisher injected into your system when you clicked on the wrong email or web link. No, it’s most likely an application that came with your computer, provided free of charge (and responsibility) by HP, Dell, Lenovo, or whatever company made your system. Here's what you need to know…
Hey Computer Vendors, Update Your Updaters!
All Original Equipment Manufacturers (OEMs - a geeky term for computer vendors) now include at least one app generally known as an “updater.” Updaters load automatically when you boot your system and remain out of sight and mind, running in the background.
An updater monitors specified applications installed on your hard drive, checking the version of each app and automatically installing new updates to keep your system better protected against ever-changing attacks. That’s a good thing, but...
Almost all major brand OEMs are using half-baked, amateurishly written updaters that any fifth grader can exploit to run any malware he wishes on your system. Most OEMs get their updaters from third parties; therefore, few OEMs control the quality and security testing of the updater software they ship to customers. A very few OEMs write their updaters in-house, but it turns out they don’t budget enough to make these universal components secure.
Duo Labs, a security researcher and security software developer for large organizations, dug deeply into the installers packaged with desktops and laptops made by Acer, ASUS, Dell, HP, and Lenovo. What they found is scary as can be.
Every updater from every OEM included at least one critical vulnerability, one that would allow a hacker to take full control of your system and execute any malware he desires on it.
“Attack surface,” the total number of points at which a collection of software can be attacked by hackers, increases with the number of apps installed on a system. Some OEMs package more than one updater on each system, increasing the attack surface and the risk that you’ll be hacked.
Guilty, Guilty, Guilty!
All of the OEMs made poor and incomplete use of TLS, a standard encryption protocol, to protect against interception of their updaters’ data streams and potentially the injection of malware into those streams. The chart in Duo’s test summary page shows red X's where updaters fail to use TLS encryption. And as you can see, that chart has a lot of red X's.
Acer doesn’t use TLS at all. One of Lenovo’s two tested updaters doesn’t use TLS either, while the other uses it for all data communications. The inconsistency is mind-boggling; it suggests there are no security standards for updaters at all.
Every single one of the OEMs had at least one actual vulnerability in its updater(s); Duo’s researchers were able to hack their way into all of the updaters to achieve “root privileges,” the god-like power to install and run any software they wished on a target computer.
“The level of sophistication required to exploit most of the vulnerabilities we found,” writes the Duo team, “is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial.”
OEMs are hard-hit these days by plummeting desktop PC sales, now predicted to be down at the end of fiscal 2016 by 7.3% compared to 2015. But that’s no excuse for shipping products with known, serious dangers.
OEMs include these updaters (ostensibly) to keep your drivers up to date, improve security, and optimize performance. But they're vague on how they actually do the latter two. And drivers rarely need updating, so I'm left wondering if they exist more to help these companies keep tabs on the hardware they sell, and subsequently market other products to them.
What You Should Do
My advice is to uninstall any software programs that were added by the manufacturer of the device unless you know that you require it. Most of the time, those are not necessary. Open Control Panel, then click "Uninstall a program." Look for entries that include the name of your computer or printer vendor. I just found and deleted "Dell Update" and "HP Update" from my PC, and I feel fine. If you're not sure about an entry, Google the name and see what comes up. To be extra safe, make a full image backup before removing any OEM software.
The deplorable weaknesses of OEM updaters is enough to drive me to buy a “white box,” a no-name bare-bones computer built by a local guy that comes with minimal software installed; meaning, no updater containing critical vulnerabilities. That’s not the way to turn your declining businesses around, OEMs!
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 1 Jul 2016
|For Fun: Buy Bob a Snickers.|
Free Drawing and Graphic Design Programs
The Top Twenty
Geekly Update - 05 July 2016
There's more reader feedback... See all 26 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- A Malware Funnel Pre-Installed on Your PC? (Posted: 1 Jul 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved