When consumers buy laptops at retail stores from major laptop vendors, the devices come out-of-the-box with various forms of software updaters. According to research published May 31 by Duo Security, those updates have been exposing users to security risks.
Duo Security found 12 vulnerabilities in the updaters, the worst of which could have potentially enabled an attacker to execute a full system compromise in less than 10 minutes. In some cases, the updaters are used to update what is commonly referred to as “bloatware,” extra software that is added to a default operating system providing additional services. Duo Security also found, however, that in many instances “bloatware” isn’t the only thing that is being updated by some of these tools.
“Things like device drivers and BIOS firmware get updated by some of them, as well,” Darren Kemp, a security researcher at Duo Labs, told eWEEK. “So there are sometimes legitimate, necessary components being updated insecurely through the OEM updaters.”
One major cause of the vulnerabilities that Duo Security identified is a lack of proper use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) to authenticate and encrypt an update. Without proper use of SSL/TLS, an update could be intercepted or manipulated by an attacker to deliver malware, instead of a legitimate software update.
Kemp emphasized that the nature of the software being updated is really irrelevant to the overall outcome for an attacker, which is why it doesn’t matter what the updaters are actually updating. He noted that the updaters are inherently privileged, executing with system-level permissions.
“There are many opportunities for a man-in-the-middle attacker to piggyback malicious commands or executable code on the back of seemingly legitimate bloatware updates,” Kemp said. “The end result is still a compromise for the user; by the time they notice the update, if they notice it, it’s probably too late.”
Also of particular note is the fact that many of the updaters support the installation of “silent” updates that happen behind the scenes and do not notify the user. Kemp noted that silent updates can potentially be compromised without any indication an update has even been installed. To make matters worse, all the updaters Duo Security looked at provide automatic updates.
“While many of them have some feature that allows a user to interactively request the software check for updates, they all do it autonomously, as well,” Kemp said.
While Duo Security found the vulnerabilities in the updaters, it did not find any instances where the vulnerabilities are or have been actively exploited in the wild. Additionally, most of the vendors that the updater vulnerabilities affected have already fixed the issues.
Kemp noted that during the course of Duo Security’s research, Dell issued software updates that fixed all of the issues. HP fixed the issues with their updaters, while Lenovo simply removed the potentially vulnerable updating software from their systems. Acer and Asus responded to Duo Security, but haven’t provided a formal timeline for public fixes, Kemp said.
The way that Duo Security found the security issues wasn’t through an automated tool but, rather, through a mostly manual process. “We primarily disassembled most of the components manually and audited the code for vulnerabilities, in conjunction with reviewing packet captures to expedite reverse engineering,” Kemp explained.
For consumers looking to protect themselves from the potential risks of vulnerable software updaters, the task is also somewhat manual. “Unfortunately, the only sure way to protect yourself is to simply remove any OEM software altogether, which is admittedly a frustrating task for less technical users,” Kemp said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
