Hijacking the PC Update Process
There’s a new report on security vulnerabilities in the PC initialization/update process, allowing someone to hijack it to install malware:
One of the major things we found was the presence of third-party update tools. Every OEM we looked at included one (or more) with their default configuration. We also noticed that Microsoft Signature Edition systems also often included OEM update tools, potentially making their distribution larger than other OEM software.
Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM’s to learn from this, right?
Spoiler: we broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy.
News article.
Kai Howells • June 6, 2016 6:44 AM
I fail to understand what OEMs actually hope to achieve by installing all their crapware on new machines. I don’t know one single person who uses any of it, and no-one actually likes having it there.
You can’t add crap like this to Windows and expect it to run better – so what purpose does it serve?
Surely the OEMs expend non-trivial amounts of resources in developing this software – why do they continue to do so?
Nothing will run as well straight out of the box as a machine with a fresh install of Windows and nothing else.
I can understand that there are bundling deals with 3rd party software vendors and OEMs, that’s why we get things like Evernote, CD burning software, Outlook plugins, trial versions of Office and crappy AV software – but this doesn’t explain why the OEMs feel like they have to put their own software in the mix as well.
With all the marketing that Microsoft is putting behind Signature Edition (basically a clean install of Windows with minimal other 3rd party crapware) – why doesn’t any OEM realise the value in this and go one step further – just install Windows and nothing else?
http://www.microsoftstore.com/store/msusa/en_US/cat/Signature-Edition-Computers/categoryID.69916600