Laptop Updaters From Major Vendors Pose Security Risks
When consumers buy laptops at retail stores from major laptop vendors, the devices come out-of-the-box with various forms of software updaters. According to research published May 31 by Duo Security, those updates have been exposing users to security risks.
Duo Security found 12 vulnerabilities in the updaters, the worst of which could have potentially enabled an attacker to execute a full system compromise in less than 10 minutes. In some cases, the updaters are used to update what is commonly referred to as "bloatware," extra software that is added to a default operating system providing additional services. Duo Security also found, however, that in many instances "bloatware" isn't the only thing that is being updated by some of these tools.
"Things like device drivers and BIOS firmware get updated by some of them, as well," Darren Kemp, a security researcher at Duo Labs, told eWEEK. "So there are sometimes legitimate, necessary components being updated insecurely through the OEM updaters."
One major cause of the vulnerabilities that Duo Security identified is a lack of proper use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) to authenticate and encrypt an update. Without proper use of SSL/TLS, an update could be intercepted or manipulated by an attacker to deliver malware, instead of a legitimate software update.
Researchers from Duo Security found multiple critical vulnerabilities in out-of-the box laptop software updaters from Lenovo, HP, Dell, Acer and Asus.
Kemp emphasized that the nature of the software being updated is really irrelevant to the overall outcome for an attacker, which is why it doesn't matter what the updaters are actually updating. He noted that the updaters are inherently privileged, executing with system-level permissions.