Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Laptop Updaters From Major Vendors Pose Security Risks

    By
    SEAN MICHAEL KERNER
    -
    June 1, 2016
    Share
    Facebook
    Twitter
    Linkedin
      laptop software updaters

      When consumers buy laptops at retail stores from major laptop vendors, the devices come out-of-the-box with various forms of software updaters. According to research published May 31 by Duo Security, those updates have been exposing users to security risks.

      Duo Security found 12 vulnerabilities in the updaters, the worst of which could have potentially enabled an attacker to execute a full system compromise in less than 10 minutes. In some cases, the updaters are used to update what is commonly referred to as “bloatware,” extra software that is added to a default operating system providing additional services. Duo Security also found, however, that in many instances “bloatware” isn’t the only thing that is being updated by some of these tools.

      “Things like device drivers and BIOS firmware get updated by some of them, as well,” Darren Kemp, a security researcher at Duo Labs, told eWEEK. “So there are sometimes legitimate, necessary components being updated insecurely through the OEM updaters.”

      One major cause of the vulnerabilities that Duo Security identified is a lack of proper use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) to authenticate and encrypt an update. Without proper use of SSL/TLS, an update could be intercepted or manipulated by an attacker to deliver malware, instead of a legitimate software update.

      Kemp emphasized that the nature of the software being updated is really irrelevant to the overall outcome for an attacker, which is why it doesn’t matter what the updaters are actually updating. He noted that the updaters are inherently privileged, executing with system-level permissions.

      “There are many opportunities for a man-in-the-middle attacker to piggyback malicious commands or executable code on the back of seemingly legitimate bloatware updates,” Kemp said. “The end result is still a compromise for the user; by the time they notice the update, if they notice it, it’s probably too late.”

      Also of particular note is the fact that many of the updaters support the installation of “silent” updates that happen behind the scenes and do not notify the user. Kemp noted that silent updates can potentially be compromised without any indication an update has even been installed. To make matters worse, all the updaters Duo Security looked at provide automatic updates.

      “While many of them have some feature that allows a user to interactively request the software check for updates, they all do it autonomously, as well,” Kemp said.

      While Duo Security found the vulnerabilities in the updaters, it did not find any instances where the vulnerabilities are or have been actively exploited in the wild. Additionally, most of the vendors that the updater vulnerabilities affected have already fixed the issues.

      Kemp noted that during the course of Duo Security’s research, Dell issued software updates that fixed all of the issues. HP fixed the issues with their updaters, while Lenovo simply removed the potentially vulnerable updating software from their systems. Acer and Asus responded to Duo Security, but haven’t provided a formal timeline for public fixes, Kemp said.

      The way that Duo Security found the security issues wasn’t through an automated tool but, rather, through a mostly manual process. “We primarily disassembled most of the components manually and audited the code for vulnerabilities, in conjunction with reviewing packet captures to expedite reverse engineering,” Kemp explained.

      For consumers looking to protect themselves from the potential risks of vulnerable software updaters, the task is also somewhat manual. “Unfortunately, the only sure way to protect yourself is to simply remove any OEM software altogether, which is admittedly a frustrating task for less technical users,” Kemp said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×