OEM Software Leaves New Windows PCs Vulnerable

Software preloaded on new Windows computers by leading OEMs may leave customers vulnerable to remote attack, researchers from DUO warn.
Software preloaded on new Windows computers by leading OEMs may leave customers vulnerable to remote attack, researchers from DUO warn.

In-brief: Software preloaded on new Windows computers by leading OEMs may leave customers vulnerable to remote attack, researchers from DUO warn.

All that bloatware that ships with your new Windows PC may be undermining security, in addition to clogging your hard drive and desktop, reports Dan Goodin over at Ars Technica.

Dan notes this report from the folks at DUO Security that found serious security flaws in new computers from leading vendors, including Dell, Hewlett Packard, Asus, Acer and Lenovo. Among the problems identified: high risk vulnerabilities in OEM software shipped with HP, Asus, Acer and Lenovo computers that could result in an attacker running arbitrary code on affected systems.

In all, DUO researchers found 12 vulnerabilities linked to OEM software across the vendors they studied. The source of the problems, frequently, was poor implementation and an absence of “best practices” such as exposing APIs (or application program interfaces) in ways that make it easy to exploit them, failing to use TLS (transport layer security) properly or relying on updater applications that contained exploitable software vulnerabilities.

The exact mix of problems was different in each case, but the net effect was the same, DUO concluded.

“While there is arguably no canonical guide to implementing OEM support tools, many of the implementations
were ‘hacky’ to say the least, either out of ignorance or necessity.”

You can read more over at Ars Technica, or check out the full DUO report (PDF).

Comments are closed.