A Malware Funnel Pre-Installed on Your PC?

Category: Security

The biggest security vulnerability on your desktop or laptop PC probably is not something you picked up off the Internet, or that a phisher injected into your system when you clicked on the wrong email or web link. No, it’s most likely an application that came with your computer, provided free of charge (and responsibility) by HP, Dell, Lenovo, or whatever company made your system. Here's what you need to know…

Hey Computer Vendors, Update Your Updaters!

All Original Equipment Manufacturers (OEMs - a geeky term for computer vendors) now include at least one app generally known as an “updater.” Updaters load automatically when you boot your system and remain out of sight and mind, running in the background.

An updater monitors specified applications installed on your hard drive, checking the version of each app and automatically installing new updates to keep your system better protected against ever-changing attacks. That’s a good thing, but...

Almost all major brand OEMs are using half-baked, amateurishly written updaters that any fifth grader can exploit to run any malware he wishes on your system. Most OEMs get their updaters from third parties; therefore, few OEMs control the quality and security testing of the updater software they ship to customers. A very few OEMs write their updaters in-house, but it turns out they don’t budget enough to make these universal components secure.

OEM updaters are vulnerable

Duo Labs, a security researcher and security software developer for large organizations, dug deeply into the installers packaged with desktops and laptops made by Acer, ASUS, Dell, HP, and Lenovo. What they found is scary as can be.

Every updater from every OEM included at least one critical vulnerability, one that would allow a hacker to take full control of your system and execute any malware he desires on it.

“Attack surface,” the total number of points at which a collection of software can be attacked by hackers, increases with the number of apps installed on a system. Some OEMs package more than one updater on each system, increasing the attack surface and the risk that you’ll be hacked.

Guilty, Guilty, Guilty!

All of the OEMs made poor and incomplete use of TLS, a standard encryption protocol, to protect against interception of their updaters’ data streams and potentially the injection of malware into those streams. The chart in Duo’s test summary page shows red X's where updaters fail to use TLS encryption. And as you can see, that chart has a lot of red X's.

Acer doesn’t use TLS at all. One of Lenovo’s two tested updaters doesn’t use TLS either, while the other uses it for all data communications. The inconsistency is mind-boggling; it suggests there are no security standards for updaters at all.

Every single one of the OEMs had at least one actual vulnerability in its updater(s); Duo’s researchers were able to hack their way into all of the updaters to achieve “root privileges,” the god-like power to install and run any software they wished on a target computer.

“The level of sophistication required to exploit most of the vulnerabilities we found,” writes the Duo team, “is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial.”

OEMs are hard-hit these days by plummeting desktop PC sales, now predicted to be down at the end of fiscal 2016 by 7.3% compared to 2015. But that’s no excuse for shipping products with known, serious dangers.

OEMs include these updaters (ostensibly) to keep your drivers up to date, improve security, and optimize performance. But they're vague on how they actually do the latter two. And drivers rarely need updating, so I'm left wondering if they exist more to help these companies keep tabs on the hardware they sell, and subsequently market other products to them.

What You Should Do

My advice is to uninstall any software programs that were added by the manufacturer of the device unless you know that you require it. Most of the time, those are not necessary. Open Control Panel, then click "Uninstall a program." Look for entries that include the name of your computer or printer vendor. I just found and deleted "Dell Update" and "HP Update" from my PC, and I feel fine. If you're not sure about an entry, Google the name and see what comes up. To be extra safe, make a full image backup before removing any OEM software.

The deplorable weaknesses of OEM updaters is enough to drive me to buy a “white box,” a no-name bare-bones computer built by a local guy that comes with minimal software installed; meaning, no updater containing critical vulnerabilities. That’s not the way to turn your declining businesses around, OEMs!

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 1 Jul 2016

For Fun: Buy Bob a Snickers.

Prev Article:
Free Drawing and Graphic Design Programs

The Top Twenty
Next Article:
Geekly Update - 05 July 2016

Most recent comments on "A Malware Funnel Pre-Installed on Your PC?"

(See all 26 comments for this article.)

Posted by:

01 Jul 2016

what about Intel's update manager?

Posted by:

01 Jul 2016

Thank you, Bob, for this informative article. I uninstalled an HP updater for my printer.

@Lynn Dirk & @Steve - Those are very good questions. I'll check back soon to see if there is any replies.

Posted by:

01 Jul 2016

@Lynn Dirk........"Updaters" are separate functions from "system" updates.

Posted by:

Rhonda Lea Fries
01 Jul 2016

Microsoft Signature Edition (Dell laptop).

I'd never considered buying from the Microsoft store, but there was an amazing sale last Black Friday. When my new laptop showed up clean as a whistle, I started to rethink my shopping habits.

I'll probably buy from Microsoft from now on.

Posted by:

01 Jul 2016

Another reason I always clean install Windows when someone asks for help with their misbehaving OEM computer.

Posted by:

Dennis WW
02 Jul 2016

Like Glen, above, we found no updaters on our Toshiba laptop. Also, none found on a relatively new PC my son helped me purchase and put together.

Posted by:

02 Jul 2016

With such updaters deleted or turned off, how about using Secunia's (free) "Personal Software Inspector" for alerts as to when updates ARE available from software creators?

BTW, Win-10 wouldn't uninstall of either Dell updater or HP updater from my PC. It did trigger an option to turn them off - which I did.

Posted by:

Pat C.
02 Jul 2016

OMG! I will remove, via Revo Uninstaller, any and all such BS. Question! If I bought a HP multi-function printer and it has an updater, will that allow the bad guys to screw with my machine?

Posted by:

John James
02 Jul 2016

I always build my own desktops or have my computer store do it for me. $50 to my store is cheap and I get what I want with no bloat ware. One reason I don't have a functioning printer is because I don't trust their software as well.

Posted by:

03 Jul 2016

I like to use Secunia's Personal Software Inspector which is free to search for updates but I don't use the links in Secunia when updating since I'm concerned that they could include spyware in the download they link to. For example, if Secunia indicates my Java is outdated I download the update directly from Oracle rather than using the link to download in this software.

Posted by:

03 Jul 2016

So removing the poorly written updater is a good idea, but not receiving updates on software is a bad idea as none of the fixes for security issues or just plain poor code will be received. What is the real fix you recommend Bob. Secunia or is there something better.

Posted by:

04 Jul 2016

Makes me even happier that this old woman built her own darned computer! ;-)

Posted by:

Dave L
04 Jul 2016

I agree with your hint that the OEMs, some of them, are just using the updaters to watch you for "marketing" purposes? Microsoft's Windows updates is unfortunately necessary when it comes to exploits, but 95% of the time MS gets a continuous look at ~1 billion PC users.
Even if you put Windows Updates to Never, MS still has access to your computer. That was proven when MS put Windows 10 ads on my Windows 7 and 8 PCs that had Windows Updates set to Never. I prefer to do my updates manually.

Posted by:

05 Jul 2016

What about anti-virus updaters? are they guilty as well of the same vulnerabilities?

EDITOR'S NOTE: I'm not aware of any problems there.

Posted by:

Owner of New PC
05 Jul 2016

Is removal of the Updater sufficient, or does one need to reset or restore the PC from before its first OEM update to remove compromised registry entries that gave a "Trusted Installer" too many permissions?

EDITOR'S NOTE: Removal of the installer is sufficient.

Posted by:

06 Jul 2016

Sad, this is what happens when we buy products that do not have iso9000 or better.

Posted by:

13 Jul 2016

Thanks, Bob for a very helpful article; nice to have someone watching my back!

Posted by:

17 Jul 2016

As soon as I take any new kit of of the box, I wipe the pre-installed OS and start fresh install. As well as security holes, they are often resource hogs as well. (Looking at you Acer and Dell)

Posted by:

Russ Muller
18 Jul 2016

I tried the Remo My Turbo PC and it sucks!!!!IT is not FREE, after placing it all over my PC it wanted me to pay or buy so much for 'free' downloads!!!Plus it took a LONG time to get it off.Listen folks Bob has some things right but not all the time. "I" HIGHLY recommend getting Microsoft's "Microsoft Security Essentials" I got as part of a larger package but it will remain after my M.S. "Assured Support Plan" ends. Essentials is great you can run short or long scans and get security updates from M.S. you can't beet that with a stick!!!

Posted by:

Ken Heikkila
29 Jul 2016

What about third party updaters like PSI that you have previously recommended?

There's more reader feedback... See all 26 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- A Malware Funnel Pre-Installed on Your PC? (Posted: 1 Jul 2016)
Source: https://askbobrankin.com/a_malware_funnel_preinstalled_on_your_pc.html
Copyright © 2005 - Bob Rankin - All Rights Reserved