Report Warns Of OEM Software Vulnerabilities On Major Vendors’ Laptops

Solution providers need to step up their security game when it comes to reselling OEM solutions to clients, as a new report out Tuesday warned of significant security vulnerabilities pre-installed on most major OEM vendors' laptops.

The report, published Tuesday by Duo Security, a security provider based in Ann Arbor, Mich., found 12 serious vulnerabilities in the OEM software on Dell, Hewlett-Packard, Asus, Acer and Lenovo laptops. "High risk" vulnerabilities in third-party updater tools, if exploited, could have allowed for arbitrary code execution, the report said, opening the door for a man-in-the-middle attack.

All five laptop vendors had shipped with at least one vulnerability in its pre-installed updater software, the report said, sometimes with multiple, different versions for different purposes. It said most vendors failed to use TLS, or validate update integrity or authenticity of update manifest contents. Researchers said some vendors had made unsuccessful attempts to harden the updaters, but that was not the case for all.

[RELATED: 5 Recent Mac Vulnerabilities Partners Should Know About]

Sponsored post

"The OEM software landscape is complicated and includes a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivized crapware … In addition to wasting disk space, consuming RAM and generally degrading the user experience, OEM software often has serious implications on security," the report said, citing recent high-profile examples of Superfish and eDellRoot.

"Every time something like this happens, we are reassured that the offending vendor of the day cares deeply about our security and privacy. Unfortunately, a cursory analysis of most OEM software reveals that very limited, if any, security review was performed," the report said.

The report did not say if any of the vulnerabilities had been exploited by hackers, but said the large attack surface area would make it "trivial" for a hacker to take advantage of the vulnerability.

Matt Johnson, CEO of Millersville, Md.-based Phalanx Secure Solutions, said this report highlights the security concerns around OEM software, and the need for partners to stand in the middle for the better security of their clients.

"There is way too much software being added to machines by OEM manufacturers these days, with very little thought going to the security of those packages," Johnson said.

For that reason, Johnson said Phalanx never sells a system to a client that still has the OEM's original operating system. He said the solution provider always reinstalls a fresh version of the operating system on the machine before installing it at the client.

"Any time you add software to one of your machines you are going to expose yourself to any inherent security flaws that are in that software package. With the number of machines that OEMs are producing, the ability to create a large, wide-scale outbreak of security flaws in infinite," Johnson said.

Duo Security said most of the laptop vendors have taken some action to repair the vulnerabilities. It said Dell and HP have issued updates to fix the vulnerabilities and Lenovo has removed the software in question. Duo also said Acer and Asus are aware of the problem but have not yet issued fixes.