Bloatware pre-installed on millions of new PCs could present hack-doors
Major flaws in bloatware that presented security risks were uncovered in Dell and Lenovo machines last year. The companies made a quick apology and patched-up. A recent report has found many vulnerabilities still present on new machines as a result of these potentially unwanted programs (PUPs). Of the five manufacturers at fault, two are Dell and Lenovo.
Bloatware (also known as Cr*pware) is programs that are not integral to the operating system and usually of very little use to the user. They are, of course factory-installed to make a profit by the manufacturers from third-parties. The presence of these PUPs and their shortcuts, &c take up space and use processing power, slowing down a computer. Any flaws in these apps can create back-doors for malware.
Superfish with your microchips, Sir?
The authors of the report, Duo security, scrutinized the OEM software on desk- and laptops from Asus, Acer, HP, Dell and Lenovo. The emphasis was on man-in-the-middle vulnerabilities which third-parties (or hackers) could exploit to to access a user’s browser data. This was the problem patched last year by the two companies mentioned, when Superfish (adware) entered via the vulnerable PUPs.
New report – same old news
What the report found is not surprising – as well as wasting power and space with the unwanted trials, bloatware presented an easy open backdoor for data-theft. Duo located two such entry points in both HP and Acer software; the others examined each had one vulnerability. The Dell problem was the same as last year – the eDellRoot certificate. On discovery last year, the company offered a removal tool for existing users, though failed to take it off subsequent new PCs sold. This Dell flaw exists because although the certificate alone doesn’t allow unauthorized code execution, combined with the other vulnerabilities this is made possible. This can allow remote code execution – enabling the control of the entire system by a hacker.
“Security researchers have always known that consumer laptops sold in the big box stores were vulnerable to hackers,” Darren Kemp of Duo said in a statement. “Vulnerabilities are present because these machines are loaded with third-party programs and bloatware that are not sufficiently reviewed for security. We were just surprised at how bad these add-ons made things once we began our investigation.”
Get rid of the cr*p
The best move when buying a new machine on the high street is to immediately remove ALL third-party software. Duo advised that a Signature Edition PC from Microsoft could be considered which comes bloatware-free, though sometimes still contains OEM supplied updaters and support packages.