Μια έκθεση 36 σελίδων που δημοσιεύτηκε από την Duo Security αποκαλύπτει την θλιβερή κατάσταση με τα bloatware που χρησιμοποιούν οι OEMs στα laptopκαι όχι μόνο. Με τον όρο bloatware περιγράφουμε τα ενοχλητικά προγράμματα που έρχονται συνήθως σαν updaters οδηγών (drivers). Τις περισσότερες φορές αναφέρονται και ως crapware, και έρχονται ενσωματωμένα με το νέο σας laptop εγκατεστημένα από την ίδια την company.
Duo Security's team of researchers conducted checks on the built-in software that comes as a driver updater on laptops from Acer, Asus, Dell, Hewlett-Packard (HP), and Lenovo.
The results of their analysis were very worrying.
The Duo Security team has discovered that many OEMs or Original Equipment Manufacturers are using applications with too many security problems that sometimes leave the attacker full rights to the devices.
“Τα σπάσαμε όλα και μερικά ήταν χειρότερα από τα άλλα. Κάθε εταιρεία είχε τουλάχιστον ένα θέμα vulnerabilityς που θα μπορούσε να επιτρέψει επιθέσεις Man-in-the-middle (MITM) and executing arbitrary code on the system.”
The Duo team reports that the driver update software on each laptop includes at least one security flaw that allows the attacker to run code on the user's laptop and occupy the device.
Even worse, Duo reports that very few companies know how to properly implement TLS encryption, which explains why we have seen phenomena such as Superfish and eDellRoot from time to time.
In addition, Duo reveals that very few companies know how to validate and verify the integrity of updates downloaded from their driver update programs, leaving users exposed to get false (malicious) drivers.
If you take a look at the table below, you will see that the Lenovo Solution Center Driver Update Tool has positive results in the Duo tests.
The tool can be safe now, but it was not before.
In recent months, the researchers security forces bombarded Lenovo with complaints and bug reports. They eventually helped the company implement better security into its app, which just earlier this month received an update to fix some of the reported issues.
Out-of-Box Exploitation: A Security Analysis of OEM Updaters