A 36 page report posted by Duo Security reveals the sad situation with the bloatware used by OEMs in the laptop and not just. By bloatware we describe annoying programs that usually come as driver updaters. Most of the time they are referred to as crapware, and come embedded with your new laptop installed by the company itself.
Duo Security's research team conducted checks on embedded software that comes as driver updater on Acer, Asus, Dell, Hewlett-Packard (HP) notebooks, and Lenovo laptops.
The results of their analysis were very worrying.
The Duo Security team has discovered that many OEMs or Original Equipment Manufacturers are using applications with too many security problems that sometimes leave the attacker full rights to the devices.
"We broke everything and some were worse than others. "Every company had at least one vulnerability that could allow man-in-the-middle (MITM) attacks and arbitrary code execution on the system."
The Duo team reports that the software informationof drivers present in every laptop contains at least one security flaw that allows an attacker to execute code on the user's laptop and take over the device.
Even worse, Duo reports that very few Companies know how to properly implement TLS encryption, which explains why we've occasionally seen phenomena like Superfish and eDellRoot.
In addition, Duo reveals that very few companies know how to validate and verify the integrity of updates downloaded from their driver update programs, leaving users exposed to get false (malicious) drivers.
If you take a look at the table below, you will see that the Lenovo Solution Center Driver Update Tool has positive results in the Duo tests.
The tool can be safe now, but it was not before.
In recent months, the researchers security forces bombarded Lenovo with complaints and bug reports. They eventually helped the company implement better security into its app, which just earlier this month received an update to fix some of the reported issues.
Out-of-Box Exploitation: A Security Analysis of OEM Updaters