For those of you who bought Lenovo laptops in the past two years, you might recall the Superfish drama that affected several of the company’s consumer laptops. Superfish was a suite of applications that would serve you adverts inside your browser using a self-signed certificate, which meant that anyone capable enough to spoof it would be able to serve you malware through your browser using the Superfish network, even through an encrypted HTTPS session. This time around several laptop vendors are shipping software that opens up their customers to attack once more, and it’s a bit more serious now that we have stuff like crypto ransomware and Locky running around.
A report by Duo Security looked at the various mechanisms that notebook manufacturers used to install updates to the machines they sell to customers. While most of this is for the applications pre-installed on the system, otherwise known as bloatware, some of them also fetch and install updated drivers from the hardware manufacturers responsible for the various functions of the machine. The report found twelve vulnerabilities across notebooks from Acer, ASUS, Dell, HP, and Lenovo, and all fell across a spectrum that ranged from “mild concern” to “fresh format your machine now!”
“All of the sexy exploit mitigations, desktop firewalls and safe browsing enhancements can’t protect you when an OEM vendor cripples them with preinstalled software,” the researchers claim. “Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software.”
ASUS’ Live Update software has been found to be unsecure, at least in certain parts of the program. The way in which it requests updates from the internet isn’t done through a secure protocol – rather, those requests are transmitted in plain text, and no checks are made to verify the location of the server it’s connecting to, or whether the updates and drivers its fetching are actually from ASUS and its partners. Its quite possible that this is an oversight on ASUS’ part, but it could end up being quite damaging to the company’s image in the mobile market.
Fixing this is pretty simple for ASUS, but in the meantime it’s recommended to uninstall the application and wait for a new version to be released that fixes the issue. ASUS’ laptops are otherwise quite secure in terms of updates, and there’s no indication that this vulnerability has ever been used to target users in this fashion.
On Lenovo’s side, it looks like they have the same issue. The Lenovo Accelerator application basically speeds up applications by launching them quicker than they normally would using the Windows Superfetch service on slow drives, and is also responsible for serving updates for those same applications that Lenovo bundles themselves. Like ASUS’ Live Update, it doesn’t verify the source of the updates or their authenticity, which leaves the system open to a man-in-the-middle attack by someone’s server pretending to be from Lenovo.
More than two dozen notebook and desktop lines are affected, but not surprisingly the Thinkpad and Thinkstation lineup is not. This was the case for Superfish as well, and Lenovo generally doesn’t ship this kind of cruft on their business notebooks. A statement issued by the laptop vendor has urged users to uninstall the application and wait until a new, more secure version is released. If your Lenovo laptop shipped with Windows 7 or 8.1, you’re in the clear as this software wasn’t available for those operating systems.
Acer was the same as the others with similar vulnerabilities, whereas HP and Dell fell somewhere in the middle. It’s mildly frustrating that this still occurs with consumer notebooks, and these companies should take the security of their customer’s data more seriously. While some people rally to bash these brands and pledge support for boycotts on the internet, I’d advise that you simply format the OS out of the box and start on a clean slate instead. Or run Linux, that’s an option too…
Source: Duo Security