14 DAY TRIAL // Samsung engineers have fixed yet another serious issue in its driver update utility, which, if exploited, would have allowed a malicious actor to take over a user's device.
The issue, discovered by German security firm Blue Frost Security, affected the company's system update tool called SW Update. This app is your standard bloatware, packed with all Samsung laptops and desktop computers, and advertised as a driver update utility.
Most PC vendors these days offer a similar utility, and almost all are as vulnerable and prone to security flaws as Samsung's SW Update, as proven by recent research carried out by Duo Security.
A hacker could have rewritten SW Update core DLL files
According to Blue Frost, all Samsung SW Update versions up to and including 2.2.7.22 featured an incorrect configuration of the Windows ACL (Access Control List).
An attacker aware of this issue would have been able to overwrite DLL files in the app's installation folder. The attacker could have modified one of the three critical DLLs loaded with the app every time it starts.
By adding malicious code to these three files, a hacker would have had control of the entire device. The only condition is that the attacker needed to wait for the user to reboot their computer in order to have the PC execute the tainted DLLs. Since the SW Update runs under SYSTEM user privileges, the DLLs would have full access to the entire computer.
Issue fixed in SW Update 2.2.7.24
The security firm reported the issue to Samsung engineers on April 25. The company fixed the problem on May 30 by disabling file write permissions on the affected folder: "C:\ProgramData\Samsung\SW Update Service\"
Users should upgrade their SW Update app to version 2.2.7.24, either by using the built-in updater or by grabbing a fresh copy off Samsung's site.
Last March, Samsung fixed another severe vulnerability in the SW Update tool after experts from Core Security reported that the app used an insecure driver download and update mechanism via HTTP.
Blue Frost Security previously discovered an issue in the FireEye antivirus that allowed crooks to whitelist malware.
