Laptop Software Updaters Are Vulnerable To Cyber Crime: Report

by CXOtoday News Desk    Jun 01, 2016

Image Courtesy Duo Security has exposed serious vulnerabilities into the software tools that PC manufacturers preload on Windows computers. The firm that investigated software update tools spanning five vendors - Acer, Asus, Dell, Hewlett Packard (HP), and Lenovo - and identified twelve different vulnerabilities across all the vendors.

All vendors had at least one vulnerability that allowed for a complete compromise of the affected machine. Attackers could very easily exploit most of the vulnerabilities found in the full report with very little effort and at little to no cost. In many cases, the consistent use of encryption would have made attacks much more difficult to exploit.

These vulnerabilities become a significant problem for companies whose employees are using their Acer, Asus, Dell, HP, or Lenovo laptops with default settings, in the workplace. The vulnerable devices open an entire organization up to an attack resulting in a data breach.

“Security researchers have always known that consumer laptops sold in the big box stores were vulnerable to hackers,” said Darren Kemp, Security Researcher at Duo Labs. 

“Vulnerabilities are present because these machines are loaded with third-party programs and bloatware that are not sufficiently reviewed for security. We were just surprised at how bad these add-ons made things once we began our investigation. For a system administrator, it’s a bit of a nightmare when these machines are used for business applications and to access company email. To protect an organization, policies need to be in place to block access to sensitive corporate data from vulnerable or risky devices”, he added. 

Duo Labs, the security research team at Duo Security, reported these vulnerabilities to all five vendors at least 90 days ago, which is the standard timeline given to vendors to fix a vulnerability before public disclosure. 

Hewlett-Packard has responded and fixed the high risk vulnerabilities. Acer and Asus have responded, but have not released their fix timelines yet. Lenovo removed the vulnerable software from their systems, effectively making those machines no longer vulnerable.

Duo Labs recommends that users fully disable updaters and remove all third-party components to be fully protected from these vulnerabilities. In addition, organizations should install basic security functions, such as two-factor authentication, to ensure users are who they say they are, and turn on encryption.