Last year’s Superfish and eDellRoot bloatware mishaps exposed the security nightmare that pre-installed software updaters can create on new laptops. And while these two high-profile incidents made the issue public, they’re hardly isolated cases.
Many popular consumer and business laptops from manufacturers such as Dell, HP, Lenovo, Asus and Acer include bloatware that have a host of security issues. Some transmit XML manifests in the clear, exposing machines to man-in-the-middle attacks, while other flaws can grant attackers privilege escalation or the ability to execute arbitrary code, sometimes at SYSTEM level. Those that do encrypt updates have such poor implementations that they fail to properly validate updates. In all, the attack surface exposed by these programs is large and, in most cases, trivial to update.
Researchers at Duo Labs today published a report on their findings after pulling apart the bloatware from 10 new laptops, all running either Windows 8.1 or Windows 10, including some Microsoft Signature edition machines that are supposed to be bloatware free, but still include some of these components.
They found and privately disclosed a dozen vulnerabilities, half of which were rated high-severity. Asus and Acer have yet to patch any of the flaws reported to them; the two Asus bugs are more than 125 days old and allow for code execution and privilege escalation, while the Acer flaws are more than 45 days old and both expose systems to arbitrary code execution.
HP has patched four of the seven flaws reported to it, while Lenovo said it would remove the affected software from its systems starting in late June.
Dell, meanwhile, has silently updated some flaws, and has mitigations in place that prevent the exploitation of others.
“There are more nuanced flaws. All of these updaters specify their own update manifests where the system grabs a XML file over HTTP (Dell downloads its updates over HTTPS). None of the manifests are signed and they don’t use proper engineering practices to make sure the integrity of the manifests is validated properly,” said Duo Labs researcher and one of the report authors Darren Kemp. “All of (the manifests) include commands to ensure the updates run properly. A bad guy can hijack those commands and execute with system level permission.”
Most of these updaters run with system-level privileges, meaning they’re going to bypass any security protection on the machine.
“Most are implementation and design issues where things are fundamentally broken by design,” Kemp said. “They are not easily mitigated without rewriting how the software works. There are not a lot of controls to prevent this.”
The bloatware in question is primarily there for feature updates for the respective OEM components, things that manufacturers receive monetary incentives to pre-install on computers.
“All of them tended to suffer from the same kinds of flaws, and the level of vulnerabilities on these things negate the hard work Microsoft put in hardening Windows 10,” Kemp said. “The reality is that for most, it’s trivial to perform man-in-the-middle attacks, whereas it’s non-trivial against Windows Update, for example. Very little security engineering went into these.”
Duo Labs identified a number of security issues including the lack of TLS protecting executable files and manifests, as well as a lack of integrity validation of manifest files that could be hijacked in a man-in-the-middle attack and modified to inject malicious software. The respective vendors also failed to validate that executable files running via the updaters were published by the expected source, Duo said, adding that Windows supports this capability via Authenticode. In some cases the validation was not performed or done incorrectly where certificate chains were not validated.
Duo also expressed concern in its report over obfuscation techniques designed to stored encrypted versions of strings and other data that were trivial to reverse engineer.
“By their very nature, they are highly privileged, easy to exploit, and not difficult to reverse engineer,” Duo said in its report. “Couple that with limited security review, and this creates the perfect storm for a network-based attacker.”