OEM Bloatware: A Major Security Risk!


bloatware1We’ve all been through the scenario; we purchase a shiny new PC and experience that tinge of excitement and anticipation as we rush home to set it up. We get home, plug it in and boot it up, only to be confronted by a plethora of manufacturer installed softwarewhat is commonly referred to as bloatware.

Every manufacturer is guilty, there have even been specialist software applications designed specifically to rid new machines of this pestilence – e.g. Decrap My Computer and PC Decrapifier. For a long time we considered the practice more of an irritation and inconvenience than a security risk, then along came the likes of Superfish and eDellRoot. Now, an investigation by security firm Duo Labs has proven beyond doubt that these pre-installed manufacturer-based programs do indeed represent a major security risk.

Duo Labs concentrated its investigation on the most common tools included with OEM software… third party updaters. The security company discovered that at least one (or more) of these updater tools is included in the default configuration of every single new machine, and the majority are wide open to exploitation.

Credit: Duo Labs

Credit: Duo Labs

Duo Labs summarized:

Some vendors made no attempts to harden their updaters, while others tried to, but were tripped up by a variety of implementation flaws and configuration issues. In total, we identified and reported twelve unique vulnerabilities across all of the vendors.

The security company’s investigation also identified a number of concerning trends:

  • Every vendor shipped with a preinstalled updater that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine.
  • Vendors often failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents.
  • Vendors sometimes had multiple software updaters for different purposes and different implementations; some more secure than others.
  • The large attack surface presented by ancillary OEM software components makes updater-specific bugs easier to exploit in practice by providing the missing pieces of the puzzle through other tools bundled with their systems.

And most worryingly; the level of sophistication required to exploit most of these vulnerabilities is next to zero – in other words, any hacker, even those on “L” plates, would have no difficulty exploiting them.


 

Posted in:
About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.

There are 2 comments

Your email address will not be published. Required fields are marked *