Customers in danger of having their computers tainted with fake updates, malfromed firmware or all sorts of malware

Jun 5, 2016 15:30 GMT  ·  By

The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTTP and installs them without verifying the content's source or validity.

The LiveUpdate toolkit is what you'd call bloatware or crapware, software prepacked on your computer that's already there when you boot up for the first time. Very few people are aware of its presence, and most of them think it should be there to begin with because it's provided by their laptop's manufacturer.

Unfortunately for ASUS customers, the company's official "bloatware" doesn't use the most secure mechanism to deliver updates, as US security researcher Morgan Gangwere has discovered.

HTTP communications expose users to MitM attacks

The LiveUpdate feature installed on ASUS devices queries the ASUS servers for new updates via unencrypted HTTP requests, easy to intercept and spoof.

On the other side of the query proces, the ASUS servers reply to these queries in HTTP as well, using obfuscated XML files, which are also easy to reverse-engineer and duplicate.

ASUS LiveUpdate doesn't verify the validity of the response it receives from the server in any way, and it will also install any software it receives without checking its source or content.

Update process takes place under admin privileges

This installation takes place under the same permissions used by the update checker, which is, you guessed it, an administrator account.

Gangwere says that launching the executable from under this account ensures that "there is little chance of an executable that is not authenticode signed from causing problems."

Since LiveUpdate can deliver anything from USB drivers up to BIOS/UEFI firmware, an attacker only needs to have the patience to wait for a user's laptop to query for updates before delivering their malicious code.

The attackers wouldn't even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish.

The most recent version of the ASUS LiveUpdate utility is v3.3.4, released in July 2015. Softpedia has reached out to ASUS in regards to the researcher's findings.

This past week, Lenovo faced a similar situation with its Accelerator driver update utility. Instead of issuing a security update, the company decided it would be best if it advised customers to uninstall its software.

Researcher delivering a malicious update to his ASUS laptop
Researcher delivering a malicious update to his ASUS laptop

Photo Gallery (2 Images)

ASUS LiveUpdate uses insecure update process
Researcher delivering a malicious update to his ASUS laptop
Open gallery