14 DAY TRIAL // Security researchers at SafeBreach discovered critical vulnerabilities in a trio of apps that typically come pre-loaded on Windows devices.
The applications are developed by Intel, ASUS, and Acer, all of which pre-install their software on their computers running Microsoft’s operating system.
In the case of ASUS, the vulnerability affects the ASLDR Service in ASUS ATK Package, allowing attackers to drop malicious payloads by abusing the signed service. They can eventually obtain persistence to load malware at system boot, but also exploit the flaw for execution and evasion, an in-depth look at the flaw explains.
“The root cause of this unquoted search path vulnerability happens because the command line doesn’t contain a quoted string between the path of the executable and the argument - so the CreateProcessAsUser function tries to split it by itself each time it parses a space character,” SafeBreach explains.
The flaw was discovered in ATK Package version 1.0.0060 and older, and users are recommended to update to the latest release as soon as possible.
Acer and Intel flaws
The Acer security flaw was discovered in Acer Quick Access, also preinstalled on Windows. SafeBreach explains that using DLL hijacking, attackers could get SYSTEM rights, basically being able to load and executive malicious payloads and obtain persistence.
The flaw in Acer software happens because no digital certificate validation is employed and due to uncontrollable search path.
“The service tries to load the DLL files using LoadLibraryW instead of using LoadLibraryExW, which can control the paths from which the DLL files can be loaded,” SafeBreach notes.
This time, the bug exists in Acer Quick Access versions 2.01.3000 - to 2.01.3027 and 3.00.3000 to 3.00.3008. The patched versions are 2.01.3028 and 3.00.3009.
As far as Intel is concerned, the security issue resides in Intel Rapid Storage Technology, and can be abused by loading an arbitrary unsigned DLL into the signed process. This means the attacker would get SYSTEM rights, albeit in this case administrator privileges are required.
“The root cause of this vulnerability is that no signature validation is made against the DLL files which the service tries to load (i.e. calling the WinVerifyTrust function),” SafeBreach points out, adding that attackers can “load and execute malicious payloads within the context of an Intel Corporation signed process.”
The vulnerability was reported to Intel in July and fixes were released on December 10, according to the disclosure timeline.