ASUS Live Update software preinstalled on all ASUS computers downloads crucial BIOS and UEFI updates via HTTP and installs them without verifying the source or content validity.
The Live Update toolkit is a familiar one bloatware, that is, a software pre-installed on your computer by the manufacturer. Very few people are aware of its presence, and most of them believe it must be there as it was on their system by their computer manufacturer.
Unfortunately for ASUS customers, the company's official bloatware does not uses some secure mechanism for providing updates, according to the security researcher Morgan Gangwere.
The LiveUpdate feature on ASUS devices sends and receives requests to and from ASUS servers for new updates without encryption using the HTTP protocol.
Από την άλλη πλευρά οι διακομιστές της ASUS απαντούν σε αυτά τα ερωτήματα μέσω HTTP, χρησιμοποιώντας ασαφή αρχεία XML, τα οποία είναι επίσης εύκολο να αντικατασταθούν με άλλα που περιέχουν malicious κώδικα, ή κώδικα που έχει σαν στόχο να εξαπατήσει τον τελικό χρήστη.
ASUS Live Update software does not control the validity of the response it receives from the server, and does the installation from any software it accepts without checking its source or content.
This installation is performed with an administrator… account.
Please note that LiveUpdate is used to distribute drivers: from USB to BIOS and UEFI firmware. So an attacker only needs to wait for the user to look for new updates to send him his malicious code.
The latest version of the utility proletterASUS Live Update is v3.3.4, released in July 2015.
So it would be good to remove the software directly from your computer.