Software makers like Microsoft put a lot of effort into ensuring that the operating system and application updates they deliver to your system are secure, so that hackers can’t hijack updates to get into your computer.
But it turns out that PC hardware makers are not so careful. An investigation conducted by Duo Security into the software updaters of five of the most popular PC manufacturers—HP, Dell, Acer, Lenovo, and Asus—found that all had serious security problems that would allow attackers to hijack the update process and install malicious code on victim machines.
Researchers at Duo Security’s Duo Labs found that all five vendors, known as OEMs or Original Equipment Manufacturers, shipped computers with pre-installed updaters that had at least one high-risk vulnerability that would give an attacker remote-code execution abilities—the ability to remotely run whatever malicious code they want on a system—and gain complete control of the system. The skill required to exploit the vulnerabilities was minimal, the researchers said in a report they’re releasing (.pdf) about their findings.
The OEM vendors all shared similar security flaws in varying degrees, such as failure to deliver updates over a secured HTTPS channel or failure to sign update files or validate them. These problems make it possible for attackers to conduct a man-in-the-middle attack to intercept update files as they’re transmitted to computers and replace them with malicious ones. The malicious files can get installed regardless of other protections a machine might have because updaters operate with the highest level of trust and privilege on machines.