This is why everyone calls laptop driver updaters: crapware

May 31, 2016 16:41 GMT  ·  By

A 36-page report from Duo Security reveals the sorry state of security regarding laptop OEM bloatware, those annoying software programs usually called driver updaters, but most of the times referenced as crapware, which come built-in with your newly purchased laptop.

The Duo Security team had a look at the built-in driver updater software packaged with laptops from Acer, Asus, Dell, Hewlett-Packard (HP), and Lenovo.

The results of their analysis were not what the team expected and are devastating for the regular user.

What the Duo team discovered is that many laptop and notebook OEMs (Original Equipment Manufacturers) have hastily put together these programs, which at a closer look from trained infosec experts prove to be riddled with a large number of security problems that sometimes lead to the attacker taking over the device.

  We broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy.[...]The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial.  

Most vendor bloatware has an RCE security bug, is vulnerable to MitM attacks

The Duo team says that every laptop vendor's driver updating software included at least one security flaw that allowed the attacker to execute code on the user's laptop and take over the device.

Even worse, Duo says that very few vendors have any clue on how to properly implement TLS encryption, which explains why something like the Superfish and eDellRoot incidents happened in the first place.

Furthermore, Duo also reveals that very few vendors know how to validate and verify the integrity of downloaded driver updates, leaving users exposed to installing rogue drivers.

Even the update tool with the perfect results has a history of security flaws

If you take a look at the table below, you'll see that the Lenovo Solution Center driver update tool has positive results in Duo's tests.

The tool may be secure now, but it wasn't before. In the past months, security researchers that have bombarded Lenovo with complaints and bug reports, which eventually helped the company implement better security for its application, which just at the start of the month received an update to fix some of the reported issues.

More details and in-depth analysis of all the security bugs the Duo team discovered can be found in the company's Out-of-Box Exploitation: A Security Analysis of OEM Updaters report.

Laptop OEM blaotware study results
Laptop OEM blaotware study results

Photo Gallery (2 Images)

Most laptop update tools contain at least one RCE
Laptop OEM blaotware study results
Open gallery