Software makers like Microsoft put a lot of effort into ensuring that the operating system and application updates they deliver to your system are secure, so that hackers can't hijack updates to get into your computer.
But it turns out that PC hardware makers are not so careful. An investigation conducted by Duo Security into the software updaters of five of the most popular PC manufacturers---HP, Dell, Acer, Lenovo, and Asus---found that all had serious security problems that would allow attackers to hijack the update process and install malicious code on victim machines.
Researchers at Duo Security's Duo Labs found that all five vendors, known as OEMs or Original Equipment Manufacturers, shipped computers with pre-installed updaters that had at least one high-risk vulnerability that would give an attacker remote-code execution abilities---the ability to remotely run whatever malicious code they want on a system---and gain complete control of the system. The skill required to exploit the vulnerabilities was minimal, the researchers said in a report they're releasing (.pdf) about their findings.
The OEM vendors all shared similar security flaws in varying degrees, such as failure to deliver updates over a secured HTTPS channel or failure to sign update files or validate them. These problems make it possible for attackers to conduct a man-in-the-middle attack to intercept update files as they're transmitted to computers and replace them with malicious ones. The malicious files can get installed regardless of other protections a machine might have because updaters operate with the highest level of trust and privilege on machines.
"It doesn’t take much for one piece of software to negate the effectiveness of many, if not all defenses," they write in their report. "All of the sexy exploit mitigations, desktop firewalls, and safe browsing enhancements can’t protect you when an OEM vendor cripples them with pre-installed software."
Many of the vendors also failed to digitally sign their manifests---lists of files the updater should pull down from a server and install. Attackers can intercept unsigned manifests if they're transmitted unsecurely; then they can either delete important update files from the manifest, preventing computer users from getting updates they need, or add malicious files to the list. The latter would be effective in cases where vendors didn't sign their update files, allowing attackers to slip in their own unsigned files. Some manifests include inline commands that are required to execute update files, but an attacker could simply add inline commands to install and launch his malicious files. In the case of HP, the researchers found they could in fact execute any administrative-level command on a system through the inline commands in its manifest, not just commands to install update files. An attacker could add a new user account to the system, for example, that gives him ongoing access to the system.
"There are myriad ways to abuse command-injection bugs," says Darren Kemp, a researcher with Duo Security. "Pretty much anything an administrator can do, you could do [through the inline commands in the manifest]."
The five vendors they examined are just a sampling, but the researchers noted in their report that based on what they found, it's unlikely that other vendors are any more secure. However, they suspect that Apple's updater might be more locked down because the company is known for taking security seriously and for not installing third-party bloatware on its machines.
"This is one of the cases where that Apple walled garden works," says Kemp. "You get [only] Apple software ... so their ability to control that tightly is in this case a befit to them."
PC makers install update tools on computers to deliver firmware updates---firmware is the software on a computer that boots up the machine and loads the operating system---as well as driver updates and updates to so-called bloatware that comes pre-installed on machines when consumers buy them. Bloatware can be anything from 30-day trial versions of third-party software, to special utilities the OEM offers to add functionality to your machine, to adware that sends ads to your browser as you surf the web. In some cases, the updaters direct computers to the OEM's site to download updates, but in other cases they send computers to the third-party software maker's site to get an update.
The researchers found 12 vulnerabilities across the five vendors, and every vendor had at least one high-risk vulnerability in their updater that would allow remote-code execution. In some cases, vendors installed more than one updater on machines, for different purposes, and the security of each updater was inconsistent.
Of the five OEMs, Dell's updaters were the most secure—although the company doesn't sign its manifests, it sends manifests as well as the update files themselves via secured HTTPS channels to thwart simple man-in-the-middle attacks. The Dell Update also validates that the files are signed and that the certificate used to sign them is valid.
Although the researchers found problems with the latest version of another updater Dell uses for Dell Foundation Services, the company apparently discovered these vulnerabilities independently and patched them before they could report them.
Hewlett-Packard also scored fairly well. The company transmitted updates over HTTPS and also validated updates. But it failed to sign its manifests. And in the case of one downloader component, although HP included a process for verifying signatures of files, it failed to ensure that the verification was always required. An attacker could, for example, download an unsigned malicious file to a computer and prompt the user to run the file. And since HP had a redirect problem that would allow an attacker to redirect a user's machine to a malicious URL masquerading as a legitimate HP download URL, this would have made it easy for an attacker to download malicious code and trick the user into launching it.
Lenovo was a mixed bag when it came to security. It had two updaters the researchers examined---Lenovo Solutions Center and UpdateAgent. The first was one of the best updaters the researchers examined. But the second was one of the worst. Both manifests and update files got transmitted in the clear and the updater didn't validate the signature of files.
Acer tried to do the right thing by signing update files, but failed to specify that the updater should verify signatures, essentially making the signing useless. It also failed to sign its manifests, allowing an attacker to add malicious unsigned files to the manifests.
As bad as Acer was, however, Asus was worse. Its updater was so bad the researchers called it "remote code execution as a service"---essentially a built-in service for hackers to do remote-code execution. Asus transmits unsigned manifests over HTTP instead of HTTPS. And although the manifest file was encrypted, it was encrypted with an algorithm known to be broken, and the key to unlock the file was an MD5 hash of the words "Asus Live Update." As a result, attackers could easily intercept and unlock the list to make changes. Asus update files weren't signed, either, and they were also transmitted via HTTP.
Across the board, the researchers found that if the vendors had simply used HTTPS and certificate signing in a consistent and competent manner, they would have "significantly raised the bar to exploitation."
As varied as their security stances were, the vendors also varied in how easy they made it to report security problems. While Lenovo, HP and Dell, all had direct channels for reporting security problems with their software, Acer and Asus did not, leaving Duo researchers to attempt contact to their customer support lines channels multiple times via email and phone calls before they got a response.
How the vendors responded to the researchers also varied. HP has already patched the most egregious vulnerabilities the researchers found. Lenovo addressed its problems by simply removing the vulnerable software from affected systems. Duo reported the problems to the vendors more than four months ago, but Acer and Asus still haven't indicated when they will fix the problems or if they will.
"Asus told us they were going to patch in a month, then they backed off on that after we pointed out that their planned patch was also flawed," says Steve Manzuik, director of security research at Duo Labs. "And that's when our communication broke down with them."
