Big-Maker Bloatware Undermines Windows 10 Security

Buy a computer from a major original equipment manufacturer (OEM), and odds are very good that it’s going to come with some manufacturer-specific programs that do nothing but waste your time.

As it turns out, bloatware isn’t just obnoxious; it’s dangerous, too. A recent study suggests that brand-new machines from Acer, Asus, Dell, HP and Lenovo are just ripe for hacking, and there’s no easy fix.

The study comes from Duo Security, a business-focused security firm from Ann Arbor, Michigan. In a paper entitled Out-of-Box Exploitation: A Security Analysis of OEM Updaters, researchers Darren Kemp, Chris Czub and Mikhail Davidov put brand-new machines from the aforementioned companies, all of which were running either Windows 8.1 or Windows 10, through their paces and found that their security, to put it mildly, stinks.

The experts discovered 12 vulnerabilities across all the manufacturers, with at least one in each company, and added that the laudable security features of Windows 10 have been undermined by badly secured bloatware.

"All of the sexy exploit mitigations, desktop firewalls and safe browsing enhancements can't protect you when an OEM vendor cripples them with preinstalled software," the researchers wrote. "Many OEM vendors don't seem to understand or care about the need for building basic security measures into their software."

MORE: Best Antivirus Protection for PC, Mac and Android

In each case, the problem stemmed from the built-in updaters created for the various forms of bloatware. (There may be vulnerabilities in other bloatware programs, but the researchers determined — correctly — that the updater would be the easiest point of attack.)

While the basic Windows Updater is quite secure, hardware manufacturers often add their own updaters, which also keep the bloatware and some drivers up-to-date. In theory, it’s simpler than updating each program individually, but in practice, it’s much less secure, and devotes resources to programs you don’t really need in the first place.

Without going into excruciating detail, Duo tested five major security components in the updaters: whether the update manifest (or list of updates to be installed) was transmitted over secure channels; whether the manifest was digitally signed to verify that it came from the OEM and not an impostor; whether the updates themselves came with secure authentication; and whether the updater authenticated incoming code.

Of eight different bloatware updaters found (some brands used more than one), only the Lenovo Solution Center 3.1.001 updater complied with best security practices across the board. A different Lenovo updater, Lenovo UpdateAgent 1.0.0.4, failed every single test, as did the single updaters on Acer and Asus machines. Dell and HP were somewhere in the middle.

Because OEM updaters affect a wide variety of programs and accept new programs and code with minimal user input (they're often automated), it's not hard to see how a minimally clever cybercriminal could use bloatware weakness to his or her advantage.

The researchers found enormous flaws in HP, Asus, Acer and Lenovo updaters that allow remote code execution (an Internet-based attack), or privilege escalation (when a limited  user suddenly acquires system-level power). In other words, a hacker could totally hijack a system, or install whatever programs he or she saw fit. 

Acer and Asus were the worst offenders, and as of the report's release yesterday (May 31), neither had patched the flaws that the researchers had notified them of months beforehand. Asus was singled out for special mention. 

"Asus appears to be one of the worst OEMs we looked at, providing attackers with functionality that can only be referred to as remote code execution as a service," the researchers wrote in the report. "The 'Asus Live Update' software contains no security features whatsoever. ... [W]e should probably mention they use this atrocity to push out BIOS updates too."

HP got praise for a decent, if imperfect, security effort. But the researchers noted that the company "exposed the most attack surface due to the enormous number of proprietary tools included with the machine. We're not really sure what they all do."

Dell, however, fixed some of the vulnerabilities the researchers found even before the report was completed. The worst vulnerability, revealed in November and known as eDellRoot, had to do with certificates that could be used to bypass authentication, but the company rapidly issued a patch for the problem.

Meanwhile, Lenovo promised the researchers that its insecure updater would be removed from affected machines by late June.

There’s a solution to all of this, but while hardened tech veterans are already nodding their heads sagely, knowing full well what it is, everyday users may blanch. To protect your computer from OEM bloatware vulnerabilities, you should wipe the hard drive — including whatever hidden partition has the OEM build of Windows preinstalled on it — and start afresh.

To do so with Windows 10 requires an installation thumb drive (make your own here). Windows 7 users can usually find a sticker with the activation key on their machine.

To do so with Windows 8.1, you'll need to find the activation key, which might have come with an official Microsoft email. Otherwise, Windows 8.1 users will need to either go into the Registry, ask Microsoft for a new key or shell out a few bucks for a third-party key finders such as those made by iSunshine or Magical Jelly Bean.

In theory, you don’t need an activation key for Windows 10, as it’s hardwired into the motherboard, but you can use the generic ones if necessary: TX9XD-98N7V-6WMQ6-BX7FG-H8Q99 for Windows 10 Home and VK7JG-NPHTM-C97JM-9MPGT-3V66T for Windows 10 Pro edition.  

Obviously, if you can do all this as soon as you get your new computer, you can set to work right away. If you’ve had your machine for a while, though, be sure to back up your files first. It’s a pain, but it’s much less of a hassle than getting your system hijacked.