Acer, Asus, Dell, HP, Lenovo all add bloatware with high-risk vulnerabilities to Windows 10 noteboo

Posted:
in General Discussion edited June 2016
A study by Duo Labs looking at a series of name-brand PC makers revealed that their bundled software "is making us vulnerable and invading our privacy."




"Updaters are an obvious target for a network attacker, this is a no-brainer," wrote Duo Labs researcher Darren Kemp. "There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM's to learn from this, right?

"Spoiler: we broke all of them."Every vendor shipped with a preinstalled updater that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM

Kemp noted that an analysis of Windows 10 notebooks from Acer, Asus, Dell, HP and Lenovo found that "every vendor shipped with a preinstalled updater that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine."

He added, "the level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial."

Even without third party partners adding their own poorly designed bloatware, Microsoft Windows 10 was discovered to continue to connect to Microsoft's servers and send unknown data, even after users activate data privacy settings.

Lenovo scrambles to save its sloppy security record



China's Lenovo--the largest producer of both Windows PCs and Android smartphones--responded to the report by issuing a security advisory that "recommends customers uninstall Lenovo Accelerator Application by going to the 'Apps and Features' application in Windows 10, selecting Lenovo Accelerator Application and clicking on 'Uninstall,'"

One of the components of the Lenovo Accelerator Application is UpdateAgent, which Duo Labs had called "one of the worst updaters" due to the fact that it pings Lenovo's servers for new updates every ten minutes.

Because there is "no verification or encryption protecting the transmission of updates, it's trivial for an attacker to insert malicious code," noted a report by ThreatPost.

Duo Labs researcher Mikhail Davidov noted of UpdateAgent, "It was unclear at the time of discovery what its legitimate use was for," adding that "Lenovo's decision to advise users to uninstall it manually seems strange to me, as an update can be pushed to all affected models to uninstall itself without requiring user interaction."

ThreatPost added, "These issues are not unique to Lenovo. All of the vendors' machines Duo Labs examined had similar flaws around a lack of encryption, privilege escalation and remote code execution vulnerabilities. Of those vendors who did encrypt the transmission of updates, for example, some were either poorly implemented or failed to include proper validation checks."

One year after Lenovo's Superfish scandal



Last year, Lenovo was discovered to have bundled Superfish adware on its notebook computers, software that was designed to hijacks users' browser sessions to inject customized advertisements but had a side effect of seriously degrading the security of encrypted connections.

To inject ads in pages involving encrypted HTTPS requests, Superfish loaded its own a self-signed root certificate on the Lenovo machines. Pages loaded over HTTPS are signed with this certificate, rather than the actual certificate of the site owner, allowing Superfish to decrypt the contents without the user knowing.


Bank of America's website being signed with a Superfish certificate, as noticed by Google security engineer Chris Palmer


Lenovo responded by saying it would stop sending ads to Superfish-tained machines and stop installing Superfish on its new Windows PCs, but did nothing to solve the actual problem Superfish created for users.

The company effectively blew off the findings of researchers by claiming in a statement that it "thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

Windows, like Android, endangered by hardware partner's malice or incompetence



The fact that top tier PC makers are all bundling their own poorly designed software with Windows, introducing easy to exploit security vulnerabilities, has a clear parallel on Android, where hardware vendors routinely bundle not just buggy software updaters but often even purposely disable the security configuration settings that protect devices from installing apps from malicious third-party sources and in some cases install security backdoors.

A 2014 study by Bluebox Labs tested a dozen Black Friday bargain Android tablets from major retailers including Amazon, Best Buy, Kmart, Kohl's, Staples, Target and Walmart and reported "shocking" security flaws, malware and active backdoors installed on the new devices.

These flaws are on top of issues that affect the Android OS itself, which have included vulnerabilities such as Masterkey, FakeID and Stagefright.

Security is a key issue for Apple



While Google's chairman Eric Schmidt boasted to the media in 2014 that "our systems are far more secure and encrypted than anyone else, including Apple," groups that take privacy and security seriously, like the Electronic Frontier Foundation, have recommended Apple's messaging products for their end-to-end encryption while cautioning that Google did not provide similar security for its users.

Last November, Chris Soghioan, the principal technologist for the American Civil Liberties Union, went even further to state that Apple's efforts to protect the privacy of its users, including end-to-end encryption of their communications, effectively separated its more affluent iOS users from the poor and disadvantaged forced to use Android.

"The security people I know at Google are embarrassed by Android," Soghioan noted.

"Apple is nearly unique of tech firms in it's high profile, has revenue that don't rely on compromising privacy... " https://t.co/F7IIlb4shL

-- Jeremiah Grossman (@jeremiahg)


Both Android devices and Windows PCs have a wide variety of over the counter spyware tools and privacy exploits that are easy for even amateurs to find, while even tools sold to law enforcement (including FinSpy, above, from global surveillance firm Gamma Group) note that they won't work on iPhones and other iOS devices unless their security has been jailbroken by the user.

Apple has doubled down on security and privacy as key features of its Mac and iOS platforms. Additionally, without any commercial interest in collecting user data for marketing purposes, Apple is in a unique position to defend user privacy and security.

Last summer, Apple introduced WebKit Content Blockers as a secure new App Extension to enable developers to create tools that filter out any web content, including display ads and user tracking.

The company is likely to outline further new initiatives in security and user privacy at its Worldwide Developer Conference to be held in San Francisco the week after next.
lolliver
«1

Comments

  • Reply 1 of 24
    lkrupplkrupp Posts: 5,628member
    Doesn’t matter. Windows Rulz! Apple Suckz! Ask any neckbeard. Windows and Android rule the world. Apple is a has-been toy maker. I read this on the Internet.
    stanthemanmacky the mackycalimagman1979tallest skilwilliamlondonjony0
  • Reply 2 of 24
    gumbigumbi Posts: 146member
    lkrupp said:
    Doesn’t matter. Windows Rulz! Apple Suckz! Ask any neckbeard. Windows and Android rule the world. Apple is a has-been toy maker. I read this on the Internet.

    Neckbeards are usually GNU/Linux supporters, not windows. 

    And for the most part, *nix, Android, and Windows do rule the world.

    The above article is why I always tell people NOT to buy their machines from the OEM or a big box outlet.  You can usually get the better models as Signature Edition machines directly from the MS store.  No crapware, no adware.  Just windows and the necessary drivers - and often a 1 year office 365 subscription for free :)
    thewhitefalconkpom
  • Reply 3 of 24
    Microsoft doesn't care about privacy, that's been proven over and over again over the past 20 years.
    caliP-DogNCmacseekermagman1979tallest skilwilliamlondonjbdragonjony0lolliver
  • Reply 4 of 24
    gumbi said:
    lkrupp said:
    Doesn’t matter. Windows Rulz! Apple Suckz! Ask any neckbeard. Windows and Android rule the world. Apple is a has-been toy maker. I read this on the Internet.

    Neckbeards are usually GNU/Linux supporters, not windows. 

    And for the most part, *nix, Android, and Windows do rule the world.

    The above article is why I always tell people NOT to buy their machines from the OEM or a big box outlet.  You can usually get the better models as Signature Edition machines directly from the MS store.  No crapware, no adware.  Just windows and the necessary drivers - and often a 1 year office 365 subscription for free
    Agreed, Signature Editions are a safe bet. If that's not an option, doing a fresh install is the next best thing (thankfully that's easier than ever with Win 10). 
    edited June 2016 lord amhrankpom
  • Reply 5 of 24
    apple ][apple ][ Posts: 8,360member
    I'm proud to declare that I've never owned  a PC laptop in my entire life, and you can bet your first born that I never will either.

    I'm not the least bit surprised that there's plenty of bloatware and unwanted, dangerous crap inside.

    I've always hated how PC laptops usually came with tons of stickers plastered on them. How ugly and disgusting is that? That right there is a deal breaker, and it just tells you all about the mentality of the companies releasing such machines, and nobody should be shocked that there is tons of unwanted crap on the inside too, and not just on the outside.
    macseekerP-DogNCglossywhitebaconstangkpomlollivermaxit
  • Reply 6 of 24
    revenantrevenant Posts: 456member
    I have windows on my mac and it works totally fine. No viruses of any kind. In fact, it never updates. That might be because, when I sadly have to switch to windows, I turn off airport. 
  • Reply 7 of 24
    williamhwilliamh Posts: 579member
    If you sleep with the dogs, you wake up with fleas.
    magman1979fotoformatglossywhitebaconstangjony0pscooter63lolliver
  • Reply 8 of 24
    the.bearthe.bear Posts: 14member
    First, Lenovo is nowhere near the top seller of Android devices. They aren't even in the top 3 in China: Oppo, Xiaomi and Huawei sold more last quarter. Second, while we hear a ton about security vulnerabilities on Android, the truth is that almost none of them affect the end user. 95% of the reports are potential attack vectors that are discovered and closed before anyone exploits them. The rest are attacks on devices that lack Google Play Services. There are only 2 Android security issues that actually affected end users that I can remember: one affecting non-Google Play devices in China, and another affecting about 200,000 users in Russia, which incidentally was the biggest security issue on Android by far. Also, both those security issues involved infected apps. None of them involved exploits against the OS itself. Google does remove infected apps - mostly spyware - from the Google Play Store all the time but so does Apple and the App Store: https://www.wired.com/2015/09/apple-removes-300-infected-apps-app-store/ Android security holes are a much bigger issue for people who adamantly inform you that they would never use an Android device than for the nearing 2 billion people who actually do. As far as the Windows issues ... well that is exactly why the Android security talk is so much noise with very little substance. We all remember in the late 90s and early 00s how Windows had actual security issues that affected anywhere from hundreds of thousands to tens of millions of users on a daily basis. Scores of people had their identities stolen, bank accounts drained, systems hi-jacked, files stolen or corrupted and hard drives bricked. SQL Slammer, Melissa Virus, Doom, Code Red, Poison Ivy ... you name it. It was common to see "do not open this email!" and "do not download this file!" warnings from IT departments and in the media. The best part? For years, Microsoft did absolutely nothing. Their position FOR YEARS was that security was not their responsibility, and they actually told people to go out and get third party software! Things got a little better with Windows 7, and even though Windows 8 was a total disaster otherwise, that was when the security software included with Windows was good enough to not require buying third party software for most people. But seriously, if anywhere near as many security issues were on Android as there were on, say, Windows XP back in the day, Android would have collapsed long ago. Android users would have abandoned it for - gasp! - Windows Mobile, which is regarded as #2 behind iOS for security, and has had a much easier time being certified for sensitive government and enterprise users for this reason. As for why Windows Mobile is far more secure than Windows PC who knows ... you will have to ask Microsoft about that.
    gatorguywmforkmike1cropr
  • Reply 9 of 24
    correctionscorrections Posts: 1,142member
    gumbi said:

    The above article is why I always tell people NOT to buy their machines from the OEM or a big box outlet.  You can usually get the better models as Signature Edition machines directly from the MS store.  No crapware, no adware.  Just windows and the necessary drivers - and often a 1 year office 365 subscription for free :)
    Not correct, according to Duo Labs: "Every OEM we looked at included one (or more) with their default configuration. We also noticed that Microsoft Signature Edition systems also often included OEM update tools, potentially making their distribution larger than other OEM software."
    magman1979lollivermaxit
  • Reply 10 of 24
    correctionscorrections Posts: 1,142member
    Agreed, Signature Editions are a safe bet. If that's not an option, doing a fresh install is the next best thing (thankfully that's easier than ever with Win 10). 
    Not correct, according to Duo Labs: "Every OEM we looked at included one (or more) with their default configuration. We also noticed that Microsoft Signature Edition systems also often included OEM update tools, potentially making their distribution larger than other OEM software."
    magman1979jbdragonlollivermaxit
  • Reply 11 of 24
    correctionscorrections Posts: 1,142member
    the.bear said:
    First, Lenovo is nowhere near the top seller of Android devices. They aren't even in the top 3 in China: Oppo, Xiaomi and Huawei sold more last quarter. Second, while we hear a ton about security vulnerabilities on Android, the truth is that almost none of them affect the end user. 95% of the reports are potential attack vectors that are discovered and closed before anyone exploits them.

    This is not remotely true.

    The rest are attacks on devices that lack Google Play Services. There are only 2 Android security issues that actually affected end users that I can remember: one affecting non-Google Play devices in China, and another affecting about 200,000 users in Russia, which incidentally was the biggest security issue on Android by far. Also, both those security issues involved infected apps. None of them involved exploits against the OS itself.

    Not remotely true. The article lists three major issues that affected (and still affect) a very large portion of Google Play devices. 

    Google does remove infected apps - mostly spyware - from the Google Play Store all the time but so does Apple and the App Store: https://www.wired.com/2015/09/apple-removes-300-infected-apps-app-store/ Android security holes are a much bigger issue for people who adamantly inform you that they would never use an Android device than for the nearing 2 billion people who actually do.

    Not true. You do not know what you are talking about.

    As far as the Windows issues ... well that is exactly why the Android security talk is so much noise with very little substance. We all remember in the late 90s and early 00s how Windows had actual security issues that affected anywhere from hundreds of thousands to tens of millions of users on a daily basis. Scores of people had their identities stolen, bank accounts drained, systems hi-jacked, files stolen or corrupted and hard drives bricked. SQL Slammer, Melissa Virus, Doom, Code Red, Poison Ivy ... you name it. It was common to see "do not open this email!" and "do not download this file!" warnings from IT departments and in the media.

    Do some research on the global scourge of stolen ID, SMS charges, and widespread bot-networks and spying related to Android. 

    The best part? For years, Microsoft did absolutely nothing. Their position FOR YEARS was that security was not their responsibility, and they actually told people to go out and get third party software!

    That was largely the position of every consumer company in the late 1990s, but Microsoft took much of the heat because it controlled the most users and had extra sloppy software that was easy to target, running in networked office environments that were easy to exploit.

    Things got a little better with Windows 7, and even though Windows 8 was a total disaster otherwise, that was when the security software included with Windows was good enough to not require buying third party software for most people.

    The A/V software running on Windows, as the article notes, is worthless if the OEM installs a backdoor or major vulnerability the way Lenovo did. 

    But seriously, if anywhere near as many security issues were on Android as there were on, say, Windows XP back in the day, Android would have collapsed long ago. Android users would have abandoned it for - gasp! - Windows Mobile, which is regarded as #2 behind iOS for security, and has had a much easier time being certified for sensitive government and enterprise users for this reason. As for why Windows Mobile is far more secure than Windows PC who knows ... you will have to ask Microsoft about that.

    Nobody uses Windows Mobile, and there aren't any other real mobile smartphone platforms of note, so calling it #2 is right up there with your other inane claims.  

    magman1979baconstanglolliver
  • Reply 12 of 24
    stevenozstevenoz Posts: 177member
    Here is the answer to prevent all the bloatware and spyware this article talks about:

    Buy a Mac laptop (ideally a MacBook Pro), with at least 8GB of RAM, plus as large and fast a HD as you can afford. Partition it with Apple's free Boot Camp app. Pay less than $100 for a Windows Install disc (get the disc for safety, rather than a download).

    So now you have a premium hardware Windows laptop... and the Mac OS too. You can have both the Dark Side and the Good Side on the same computer! (You decide which is which.)

    I recommend you boot into Windows when you want to use it, rather than with Parallels, etc. (Games and many other things are faster.)

    When sitting in the window at Starbucks using the PC side, people will still think you are cool, unless they look closely.


    edited June 2016 steveh
  • Reply 13 of 24
    tallest skiltallest skil Posts: 42,706member
    bdkennedy said:
    Microsoft doesn't care about privacy, that's been proven over and over again over the past 20 years.
    Since there’s a 2 megabyte limit (what the heck, guys) on uploads here and since gifs don’t animate unless they’re linked in (what the heck, guys), here’s a gif showing that Windows 10, even with absolutely all monitoring options turned off, still reports every single thing that you do in the OS to Microsoft. Keystrokes, screengrabs (even when you’re inputting passwords), etc.



    EDIT: Of course. Of course. Imgur is such a worthless site that it decides to encode gifs as mp4s, for fuck’s sake. Can’t even embed it.

    http://i.imgur.com/PwmzSyh.gifv

    EDIT: Okay, so even that doesn’t work. Here we go: https://imageupload.co.uk/image/c8je
    edited June 2016 magman1979lolliver
  • Reply 14 of 24
    Rayz2016Rayz2016 Posts: 3,150member
    the.bear said:
    First, Lenovo is nowhere near the top seller of Android devices. They aren't even in the top 3 in China: Oppo, Xiaomi and Huawei sold more last quarter. Second, while we hear a ton about security vulnerabilities on Android, the truth is that almost none of them affect the end user. 95% of the reports are potential attack vectors that are discovered and closed before anyone exploits them. The rest are attacks on devices that lack Google Play Services. There are only 2 Android security issues that actually affected end users that I can remember: one affecting non-Google Play devices in China, and another affecting about 200,000 users in Russia, which incidentally was the biggest security issue on Android by far. Also, both those security issues involved infected apps. None of them involved exploits against the OS itself. Google does remove infected apps - mostly spyware - from the Google Play Store all the time but so does Apple and the App Store: https://www.wired.com/2015/09/apple-removes-300-infected-apps-app-store/ Android security holes are a much bigger issue for people who adamantly inform you that they would never use an Android device than for the nearing 2 billion people who actually do. As far as the Windows issues ... well that is exactly why the Android security talk is so much noise with very little substance. We all remember in the late 90s and early 00s how Windows had actual security issues that affected anywhere from hundreds of thousands to tens of millions of users on a daily basis. Scores of people had their identities stolen, bank accounts drained, systems hi-jacked, files stolen or corrupted and hard drives bricked. SQL Slammer, Melissa Virus, Doom, Code Red, Poison Ivy ... you name it. It was common to see "do not open this email!" and "do not download this file!" warnings from IT departments and in the media. The best part? For years, Microsoft did absolutely nothing. Their position FOR YEARS was that security was not their responsibility, and they actually told people to go out and get third party software! Things got a little better with Windows 7, and even though Windows 8 was a total disaster otherwise, that was when the security software included with Windows was good enough to not require buying third party software for most people. But seriously, if anywhere near as many security issues were on Android as there were on, say, Windows XP back in the day, Android would have collapsed long ago. Android users would have abandoned it for - gasp! - Windows Mobile, which is regarded as #2 behind iOS for security, and has had a much easier time being certified for sensitive government and enterprise users for this reason. As for why Windows Mobile is far more secure than Windows PC who knows ... you will have to ask Microsoft about that.
    References would have given you credibility. And statistically speaking 95% is the world's favourite figure to apply to made-up statistics. At least 95% of Android fans will use it in a fact-free post. 
    magman1979stevehlolliver
  • Reply 15 of 24
    "...But seriously, if anywhere near as many security issues were on Android as there were on, say, Windows XP back in the day, Android would have collapsed long ago."

    Collapsed? What, like Windows has.....'nt?

    (Just noticed a nice little pun at the end.)  
    edited June 2016 ai46lolliver
  • Reply 16 of 24
    MacProMacPro Posts: 16,938member
    Newer Macs make better PCs than PCs.  Just boot to Windows on an external USB3 drive made from Parallels/ VMWare using two free utilities* and a genuine Window 10 ISO when needed (let's be honest the only reason left for Windows is games).  You can download anything you need for Windows on the Mac, unzip then transfer to the PC drive from the Mac (check out Paragon's NTFS for Mac utility).  No bloatware or crapware gets through.  I would add that Steam for PC is totally safe and trustworthy.

    AMD released new drivers in May 2016 for Macs running Windows, I now pass Steam VR test with these new drivers.  I do not use Boot Camp!  

    (*MiniTool Partition Wizard Free Edition , remember to set drive as MBR (easily creates EFI Fat 32 boot partition and main NTFS partition) and WintoUSB also free all run in Parallels along with the genuine $100 Windows 10 ISO downloadable from Amazon/Microsoft)
    edited June 2016
  • Reply 17 of 24
    MacProMacPro Posts: 16,938member
    stevenoz said:
    Here is the answer to prevent all the bloatware and spyware this article talks about:

    Buy a Mac laptop (ideally a MacBook Pro), with at least 8GB of RAM, plus as large and fast a HD as you can afford. Partition it with Apple's free Boot Camp app. Pay less than $100 for a Windows Install disc (get the disc for safety, rather than a download).

    So now you have a premium hardware Windows laptop... and the Mac OS too. You can have both the Dark Side and the Good Side on the same computer! (You decide which is which.)

    I recommend you boot into Windows when you want to use it, rather than with Parallels, etc. (Games and many other things are faster.)

    When sitting in the window at Starbucks using the PC side, people will still think you are cool, unless they look closely.


    I don't disagree entirely but most modern Mac's internal SSDs are too small, hence see my comment above.  A $9.95 cable from Amazon and a 250 GB SSD now about $85 and you have the Windows boot disk without using up valuable space on the Mac due to partitioning.  It has the added advantage that you can make several like this with different set ups on or simply as backups.  You can mount as many bootable PC drives on a Mac desk top as you like (PCs cannot mount another bootable drive in any useful way) and copy stuff between them (just add Paragon's NTFS for Mac).
    edited June 2016
  • Reply 18 of 24
    stevenozstevenoz Posts: 177member
    I don't disagree entirely but most modern Mac's internal SSDs are too small, hence see my comment above.  A $9.95 cable from Amazon and a 250 GB SSD now about $85 and you have the Windows boot disk without using up valuable space on the Mac due to partitioning.  It has the added advantage that you can make several like this with different set ups on or simply as backups.  You can mount as many bootable PC drives on a Mac desk top as you like (PCs cannot mount another bootable drive in any useful way) and copy stuff between them (just add Paragon's NTFS for Mac).
    This is a solution, I guess, for people without Apple's 1TB SSD (that is expensive) and if they don't want a disk hard drive in their laptop. But I wonder about all the drivers supplied by Apple for its Macs using Windows... How have you done it, digitalclips? Boot Camp? And did you have problems installing Windows on an external drive? Did you do it from the Mac?
    edited June 2016
  • Reply 19 of 24
    jbdragonjbdragon Posts: 1,579member
    My current Windows desktop I built myself.  I couldn't buy what I wanted, and installing Windows myself, there's no 3rd party bloat.  

    It's really the way to go.
  • Reply 20 of 24
    MacProMacPro Posts: 16,938member
    stevenoz said:
    This is a solution, I guess, for people without Apple's 1TB SSD (that is expensive) and if they don't want a disk hard drive in their laptop. But I wonder about all the drivers supplied by Apple for its Macs using Windows... How have you done it, digitalclips? Boot Camp? And did you have problems installing Windows on an external drive? Did you do it from the Mac?
    When you boot into Windows from the Mac when it is first setting up the way I do it, it installs all drivers it needs (just wait a while) except the graphics ones since it doesn't know what the hell the Apple AMD GPUs are (I have a new Mac Pro with 2 AMD FirePros).  BTW use 'custom install' whch is almost hidden on left of screen so you can deselect all the options no Mac user would want).  Next download and install the latest AMD drivers ( http://support.amd.com/en-us/download/desktop/bootcamp) for Mac released this May 2016 and install, they are the (almost) latest Crimson with Catalyst version.  You do not need any BootCamp drivers to be honest.   Obviously the down side is you need Parallels or VMWare Fusion to accomplish this simple to set up solution, but it is far better than having a partition on your internal HD.  I am not sure not being a Windows expert but I think  they have to mess with Bios settings to alter boot drives.  On a Mac you just hold option on start up and select what ever you want.  I have three Window 8.1 and four Windows 10 SSDs I can have on line all at once and select which one I want at start up this way.

    As to how?  I popped this up  http://digitalclips.com for you

    I forgot one small detail, ensure you set the USB drive (an SSD if you are wise) as MBR, this is a selection in MiniTool Partition.  There are USB3 to SSD connectors for bare SSDs for $9.95 on Amazon.
    edited June 2016 stevenozai46
Sign In or Register to comment.