Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Update Tools Preinstalled on PCs Expose Users to Attacks

Software update and support tools preinstalled on PCs from some of the world’s biggest original equipment manufacturers (OEMs) introduce serious vulnerabilities that expose users to remote attacks.

Software update and support tools preinstalled on PCs from some of the world’s biggest original equipment manufacturers (OEMs) introduce serious vulnerabilities that expose users to remote attacks.

News broke last year that Dell had been installing a root certificate named eDellRoot on systems via Dell Foundation Services to allow support staff to quickly identify the computer model when providing service to customers. Researchers discovered this security issue just months after Lenovo was caught installing a self-signed root certificate to facilitate a piece of adware dubbed Superfish.

Researchers from Duo Security have now conducted a thorough analysis of the software updaters shipped by several major PC makers, including Acer, Asus, Dell, HP and Lenovo. Experts have analyzed Acer Care Center, Asus Live Update, Dell Update, the update plugin in two versions of Dell Foundation Services (DFS), HP Support Solutions Framework (HPSSF), Lenovo Solutions Center, and Lenovo UpdateAgent.

Duo Security has analyzed these updaters as shipped with Flex 3 and G50-80 devices from Lenovo, Envy and Stream (x360) from HP, Acer Aspire, Inspiron 15 and 15-5548 from Dell, and TP200S from Asus. While experts have found some local privilege escalation vulnerabilities, the research has focused on remote attacks that can be launched by man-in-the-middle (MitM) attackers.

Researchers discovered that each of the tested updaters is plagued by at least one flaw that can be easily exploited to achieve remote code execution with SYSTEM permissions, which can lead to a complete compromise of the vulnerable device. The most common problems were related to the use of TLS, update integrity validation, and verification of the update manifest’s authenticity.

In some cases, experts also discovered that the applications performed silent updates, which could make it easy for attackers to push malicious software without raising any suspicion. While some vendors used encryption to protect configuration files and registry data, Duo Security managed to easily reverse engineer these obfuscation attempts.

One of the most common issues found by researchers was the lack of TLS. All of Dell’s update tools and Lenovo’s Solution Center leverage HTTPS to transmit manifests, the files used to inform the system of a new package or software update. However, Lenovo’s UpdateAgent and products from Acer, Asus and HP use HTTP.

Lenovo Solution Center is the only application that uses signed manifests. The lack of TLS and integrity validation allows MitM attackers to modify the manifest to prevent users from getting important updates, or they can leverage malicious manifest files to install malware.

Advertisement. Scroll to continue reading.

In the case of Acer Care Center, Asus Live Update and Lenovo UpdateAgent, an attacker can easily replace legitimate update files with malicious ones because none of these tools use TLS to transmit updates.

Microsoft’s Authenticode allows developers to sign executable files and software packages, but Acer Care Center, Asus Live Update and Lenovo UpdateAgent don’t perform such validation.

Overall, Lenovo’s Solution Center is the most secure, but the company’s UpdateAgent failed all tests, along with products from Acer and Asus.

Software updater vulnerabilities

Researchers identified a total of 12 vulnerabilities across the products from the tested OEMs, with each vendor’s tools being plagued by at least one high-risk flaw.

UPDATE. Lenovo has published an advisory telling users to uninstall Lenovo Accelerator Application from their computers.

Related: HP Support Framework Bug Allows Arbitrary File Downloads, Data Harvesting

Related: Samsung Fixes MiTM Flaw in Software Update Utility

Related: Lenovo Patches Privilege Escalation Flaws in System Update

Related: Intel Patches Vulnerability in Driver Update Utility

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.