A 36 page report posted by Duo Security reveals the sad situation with the bloatware used by OEMs in the laptop and not just. By bloatware we describe annoying programs that usually come as driver updaters. Most of the time they are referred to as crapware, and come embedded with your new laptop installed by the company itself.
Duo Security's team of researchers conducted checks on the built-in software that comes as a driver updater on laptops from Acer, Asus, Dell, Hewlett-Packard (HP), and Lenovo.
The results of their analysis were very worrying.
The Duo Security team has discovered that many OEMs or Original Equipment Manufacturers are using applications with too many security problems that sometimes leave the attacker full rights to the devices.
"Τα σπάσαμε όλα και μερικά ήταν χειρότερα από τα άλλα. Κάθε εταιρεία είχε τουλάχιστον ένα θέμα ευπάθειας που θα μπορούσε να επιτρέψει επιθέσεις man-in-the-middle (MITM) και εκτέλεση αυθαίρετου κώδικα στο σύστημα."
The Duo team reports that the driver update software on each laptop includes at least one security flaw that allows the attacker to run code on the user's laptop and occupy the device.
Even worse, Duo reports that very few Companies they know how to properly implement TLS encryption, which explains why we've seen phenomena like Superfish and eDellRoot from time to time.
In addition, Duo reveals that very few companies know how to validate and verify the integrity of updates downloaded from their driver update programs, leaving users exposed to get false (malicious) drivers.
If you take a look at the table below, you will see that the tool Lenovo Solution Center driver updater has positive results in Duo tests.
The tool can be safe now, but it was not before.
In recent months, security researchers have bombed Lenovo with complaints and bug reports. They ultimately helped the company implement the best security in its implementation, which just at the beginning of the month received an update to correct some of the issues mentioned.
Out-of-Box Exploitation: A Security Analysis of OEM Updaters