"Asus appears to be one of the worst OEMs we looked at, providing attackers with functionality that can only be referred to as remote code execution as a service," the researchers wrote in the report. Asus was singled out for special mention.
#Asus live update bloatware install#
In other words, a hacker could totally hijack a system, or install whatever programs he or she saw fit.Īcer and Asus were the worst offenders, and as of the report's release yesterday (May 31), neither had patched the flaws that the researchers had notified them of months beforehand. The researchers found enormous flaws in HP, Asus, Acer and Lenovo updaters that allow remote code execution (an Internet-based attack), or privilege escalation (when a limited user suddenly acquires system-level power).
A different Lenovo updater, Lenovo UpdateAgent 1.0.0.4, failed every single test, as did the single updaters on Acer and Asus machines. Dell and HP were somewhere in the middle.īecause OEM updaters affect a wide variety of programs and accept new programs and code with minimal user input (they're often automated), it's not hard to see how a minimally clever cybercriminal could use bloatware weakness to his or her advantage. Of eight different bloatware updaters found (some brands used more than one), only the Lenovo Solution Center 3.1.001 updater complied with best security practices across the board. Without going into excruciating detail, Duo tested five major security components in the updaters: whether the update manifest (or list of updates to be installed) was transmitted over secure channels whether the manifest was digitally signed to verify that it came from the OEM and not an impostor whether the updates themselves came with secure authentication and whether the updater authenticated incoming code. In theory, it’s simpler than updating each program individually, but in practice, it’s much less secure, and devotes resources to programs you don’t really need in the first place.
#Asus live update bloatware drivers#
While the basic Windows Updater is quite secure, hardware manufacturers often add their own updaters, which also keep the bloatware and some drivers up-to-date. (There may be vulnerabilities in other bloatware programs, but the researchers determined - correctly - that the updater would be the easiest point of attack.) In each case, the problem stemmed from the built-in updaters created for the various forms of bloatware. MORE: Best Antivirus Protection for PC, Mac and Android