Τρεις διαφορετικές ευπάθειες ανακαλύφθηκαν (και δημοσιεύτηκαν άμεσα σε ένα PoC) σε προεγκατεστημένο λογισμικό των υπολογιστών Dell, Lenovo και Toshiba (υπολογιστές και tablets) επηρεάζουν εκατομμύρια χρήστες.
A proof-of-concept PoC demonstrates that vulnerabilities allow an attacker to perform malware at system level, no matter what type of user is logged on.
According to the researcher who wrote the PoC, a user can be dragged to open a specially crafted website to download a file, which can also come in as an e-mail attachment. These files allow an attacker to exploit the defect.
The security researcher, slipstream / RoL published his findings without informing any of the three companies Dell, Lenovo and Toshiba.
All three vulnerabilities discovered by the researcher (are available in the Carnegie Mellon University or CERT database), are in pre-installed software often known as "bloatware."
Η Lenovo Solution Center, is an application designed to give the user a quick overview of the "health", security and condition of the system network, and comes pre-installed on a number of products. Includes ThinkPads, ThinkCenter and ThinkStation, IdeaCenter and some IdeaPads, running Windows 7 or later.
In its systems Toshiba, a security vulnerability was also discovered in the pre-installed Toshiba Service Station, which serves software updates, among other things.
According to the researcher slipstream / RoL the application allows a logged-in user to read parts of the registry as a system user, which has higher privileges than a standard account χρήστη. Ο ερευνητής ανέφερε ότι ένας εισβολέας δεν μπορεί να διαβάσει το security account manager (SAM) or the bootkeys, but it is possible to "override special rights from the registry."
In its systems Dell, two vulnerabilities were found by the same security investigator.
Pre-installed Dell System Detect, which checks a user's system for any problems before contacting the support department, can be used to bypass a Windows security feature that scales a user's rights.
The security holes come just a week after allegations were heard about Dell using a pre-installed security certificate that would allow an attacker to intercept traffic andexport man-in-the-middle attacks.
Here, we have to mention that the above security gaps affect millions of systems due to the increased sales of these companies.
As for bloatware, also known as crapware, they are still a major issue in the security of any system that uses them. Lenovo, which was previously "caught" using Superfish adware, has promised to stop grouping pre-installed bloatware on its computers.
See PoC