OEM software update tools preloaded on PCs are a security mess
Researchers from security firm Duo Security have tested the software updaters that come installed by default on laptops from five PC OEMs (original equipment manufacturers) -- Acer, ASUSTeK Computer, Lenovo, Dell and HP -- and all of them had at least one serious vulnerability. The flaws could have allowed attackers to remotely execute code with system privileges, leading to a full system compromise.
In most cases, the problems resulted from the OEM software updaters not using encrypted HTTPS connections when checking for or downloading updates. In addition, some updaters didn't verify that the downloaded files were digitally signed by the OEM before executing them.
The lack of encryption for the communication channel between an update tool and the OEM's servers allows attackers to intercept requests and to serve malicious software that would be executed by the tool. This is known as a man-in-the-middle attack and can be launched from insecure wireless networks, from compromised routers, or from higher up in the Internet infrastructure by rogue ISPs or intelligence agencies.
In some cases, even when the OEMs implemented HTTPS and digital signature validation, there were other oversights and flaws that could have allowed attackers to bypass the security measures, the Duo Security researchers found.
"During our research, we were often greeted by an intricate mess of system services, web services, COM servers, browser extensions, sockets, and named pipes," the researchers said in their report. "Many confusing design decisions made us wonder if projects were assembled entirely from poor StackOverflow posts."
The five companies did not immediately respond to requests for comment on the Duo Security report.
The security and behavior of the update tools were not even consistent on the same system, let alone the same manufacturer. In some cases, OEMs had different tools that downloaded updates from different sources with significantly different levels of security, the researchers found.
For example, the Lenovo Solutions Center (LSC) was one of the best software updaters tested by the researchers, with solid man-in-the-middle protections. This might be because other flaws were found in LSC several times in the past, drawing the company's attention to it.
On the other hand, the tested Lenovo systems also had a second update tool installed called UpdateAgent that had absolutely no security features and was one of the worst updaters Duo Security analyzed.
The tools preloaded by Dell, namely the Dell Update software and the update plugin of the Dell Foundation Services (DFS), were some of the most well-designed updaters, but that's only if a critical issue caused by the self-signed eDellRoot certificate, found by Duo Security back in November, is excluded.
Since then Dell seems to have beefed up its software update implementations. The Duo researchers found several other issues in the DFS version that came preinstalled on their system, but Dell silently patched them in an update in January before they even had a chance to report them.
HP's updater, the HP Support Solutions Framework (HPSSF) with its HP Download and Install Assistant component, also had decent security in place at first glance. However, the researchers found several ways to bypass some of those protections, mainly because of inconsistent implementations.
The issues with HPSSF stem from its large number of components and the different ways in which they interact with each other. Sometimes the same type of protection, like the signature verification was implemented in multiple places in different ways.
This tendency for complexity was also observed in HP's decision to install an unusually large number of support tools on its PCs.
HP "exposed the most attack surface due to the enormous number of proprietary tools included with the machine," the researchers said. "We’re not really sure what they all do and we kind of got sick of reversing them after a while, so we stopped."
The updaters that fared worse, aside from Lenovo's UpdateAgent, which the company plans to retire and remove from systems in June, were those from Acer and Asus. Not only did they lack HTTPS or file signature validation, but according to Duo Security, the issues remain unpatched.
The main advice of the Duo researchers for users is to wipe the preloaded Windows version that comes with their computer and to install a clean copy of Windows. In most cases they should be able to use their existing license key, which in newer Windows versions is detected automatically during Windows installation.
"The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant -- meaning, trivial," the Duo researchers said in a blog post.
And that's based only on an analysis of OEM update tools, not all the third-party software that vendors commonly install on new computers. Who knows what other flaws those applications might have