Millions of PCs ship with bloatware riddled with security flaws, say researchers

pc-gaming.jpg

(Image via CNET/CBS Interactive)

Most major PC makers are shipping their desktops and notebooks with pre-installed software, which researchers say is riddled with security vulnerabilities.

A highly-critical report by Duo Security released Tuesday said Acer, Asus, Dell, HP and Lenovo all ship with software that contains at least one vulnerability, which could allow an attacker to run malware at the system-level — in other words, completely compromising an out-of-the-box PC.

The group of PC makers accounted for upwards of 38 million PCs shipped in the first quarter of the year, according to estimates garnered from IDC’s latest count.

The vast majority of those will be sold to consumers, and most of those will come with some level of system tool used to monitor the computer’s health or processes. This so-called bloatware — also known as junkware or crapware — is preinstalled software that lands on new PCs and laptops, and some Android devices. Often created by the PC maker, it’s usually deeply embedded in the system and difficult to remove.

PC makers install the software largely to generate money on low-margin products, despite it putting system security at risk.

“We broke all of them,” said Duo researchers in a blog post. “Some worse than others.”

Every PC maker that was examined had at least one flaw that could have let an attacker grab personal data or inject malware on a system through a man-in-the-middle attack.

One of the biggest gripes was the lack of TLS encryption used by the PC makers, which creates a secure tunnel for files and updates to flow over. Updating over HTTPS makes it difficult, if not impossible, to carry out man-in-the-middle attacks.

Of the flaws, Acer and Asus scored the worst with signed manifest and update files over unencrypted connections, potentially allowing an attacker to inject malware code as it’s being downloaded. By not using code-signing checks, an attacker can trivially modify or replace files and manifests in transit, said the corresponding report.

The flaws are such easy targets, the researchers said the “average potted plant” could exploit the flaws.

Duo’s researchers found a total of 12 separate vulnerabilities, with half of those rated “high,” indicating a high probability of exploitation.

Most of higher-priority flaws were fixed, but Asus and Acer have yet to offer updates.

The researchers said users should wipe and reinstall “a clean and bloatware-free copy of Windows before the system is used, otherwise, reducing the attack surface should be the first step in any system-hardening process.”

We’re reaching out to the companies for comment — and we’ll update if we hear back.

Dark Reading At 10 Years: Learning From The Best

Kudos to the Dark Reading community for strengthening the security industry with all its passion and opinions.

I have the dubious distinction of being both the oldest and youngest member of the Dark Reading team. Oldest, in terms of chronological age. Youngest with respect to my years covering the information security industry, which, for Dark Reading adds up to exactly two.

I’m not a total neophyte when it comes to information security, however.

I’m old enough to have personally experienced the Love Bug in May 2000 along with 50 million other people. It wiped my hard drive clean and rapidly spread to many other of my friends and colleagues whose names and email addresses were there for the taking from my inbox.

That experience is typical of my personal relationship with technology. In 1985, while installing it from a floppy disk, I erased the operating system of my very first personal computer – a Leading Edge Model D. In the early ‘90s, at the dawn of the consumer Internet, I inadvertently racked up a $3,000 bill for research about the history of the microprocessor on a private news network – research that in a few short years would be available at no charge for anyone with a computer and a dial-up connection.

Professionally (with professional tech support covering my behind) I have had much better luck. I wrote about many aspects of general IT security at UBM’s DeusM microsites on networking, data center, and the all-encompassing topic of “21st century IT.” Before that, at TechTarget, I launched and managed a half-dozen Windows-focused enterprise IT sites, which published news and tech features about enterprise migrations from Windows NT 4 and Exchange 5.5 to new versions of desktop and server operating systems, and reported on early administrative gains and improved security through Active Directory, group policies, centralized patch control, and antispam filtering technologies.

But it wasn’t until I joined the team at Dark Reading that security became Job #1 in the fall of 2014. I had a lot to learn – fast – and was mentored and inspired by my excellent colleagues Tim Wilson, Kelly Jackson Higgins, and Sara Peters. Equally instructive was the day-to-day interaction I have had with the security industry’s brightest minds, rock stars, and up-and-coming leaders. I learn something new every time I review or edit commentary on the issues that encompass this rapidly evolving, fascinating industry.

What’s most heartening to me, though, is the spirit of community that pervades the site. When I first arrived on the scene, I wrote a blog about what we hoped to accomplish with our new “community model” that actively encourages reader participation with industry contributors, reader commenting, and interactive features like radio shows, webinars, virtual events – even cartoons and cartoon caption contests.

I wrote at the time that our goal was “to foster high-IQ conversations about the critical security issues of the day… [and create] a dialogue among practitioners that is both relevant and personal.” It’s been a singular pleasure and career highlight to be a part of the team that has achieved that goal, along with the robust participation of the Dark Reading security community and all its thought-provoking passions and opinions.

Happy 10th Anniversary, Dark Reading! I can’t wait to see what unfolds in the next decade.

Related Content:

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting … View Full Bio

More Insights

Wekby ‘Pisloader’ Abuses DNS

New malware family ‘pisloader’ uses DNS requests for command and control.

As enterprise IT continues to ignore the security of outbound DNS traffic, the criminals are starting to take advantage of the blind spot. Researchers with Palo Alto Networks last week found yet another prime example of attacker preference for DNS last week with the emergence of a new malware variant that uses DNS requests as cover for its command-and-control (C2) communication with infected network assets.

Dubbed “pisloader” by Palo Alto’s Unit 42 research team in its report last week, the new malware shows some striking similarities to the HTTPBrowser family in its command structure and naming conventions, as well as its metadata. It is another product of the Wekby crime group, which is known for its rampant use of HTTPBrowser, which leads researchers to believe that pisloader is a variant of that malware family.

The biggest highlight of the new variant is its use of DNS as a C2 protocol, but it is armed with other obfuscation techniques to make security researchers’ jobs more difficult, including using return-oriented programming and garbage assembly instructions in the payload. 

“The malware is actually quite simplistic once the obfuscation and garbage code is ignored. It will begin by generating a random 10-byte alpha-numeric header. The remaining data is base32-encoded, with padding removed. This data will be used to populate a subdomain that will be used in a subsequent DNS request for a TXT record,” write the researchers. “The use of DNS as a C2 allows pisloader to bypass certain security products that may not be inspecting this traffic correctly.”

According to the 2016 Cisco Annual Security Report, approximately 69% of organizations today don’t monitor or control recursive DNS traffic. Attackers love this visibility gap and Cisco reports that 92% of malware today uses DNS to establish C2 communication, exfiltrate data, or redirect traffic.

Specifically using DNS for C2 is not necessarily standard operating procedure for malware today, but the practice is growing in prevalence and pisloader is one among several notable samples picking up on this in the last few years, including the PlugX remote access tool (RAT) and the C3PRO-RACCOON malware that was highlighted by Forcepoint Security Labs in its in-depth study of the Jaku botnet this spring.

In the same vein, attackers are also taking advantage of DNS as a way to exfiltrate data by using DNS tunneling tools to encode data and utilize outbound Port 53 traffic to fly under the radar of many filtering tools. Earlier this month, FireEye recently brought attention to an example of a malware sample using DNS exfiltration that has been plaguing banks in the Middle East.

Security experts warn that enterprises need to take better care monitoring controlling DNS traffic, particularly outbound Port 53 traffic, in order to get a handle on threats like pisloader that will increasingly hit their networks as the crooks try to press their advantage.

“DNS is this underlying infrastructure of the entire Internet and a lot of times it’s not given very much attention,” says Angela Knox, senior director of engineering and threat research at network security firm Cloudmark. “But because it’s so ubiquitous and often not given attention, it’s a really great channel for the malicious actors to use.”

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

More Insights

10 Sea-Changing IT Security Trends Of The Last 10 Years

A look at ten of the megatrends that have shaped IT security — and in some cases, enterprise business — over the last decade.

When it comes to IT security, the old saw says, the only constant is change. As Dark Reading looks back over the ten years since its launch in 2006, that maxim seems more accurate than ever.

Like generals fighting a losing battle, security thought leaders and professionals have been forced to change strategies many time over the last decade, often in response to technological and strategic advancements developed by the attackers. While IT itself has evolved quickly, the pace of new security threats has continued to move at even faster speeds, often leaving defenders in firefights that change almost daily. And defense strategies that were once fundamental to the security industry are now being constantly challenged – if not outright rejected — by the thinkers who once promoted them.

In this feature, we take a look at some of the fundamental sea changes that have occurred over the last 10 years. Perhaps a look at where we’ve been will give us a hint at where we’re going – or at least prepare us for more change in the future.

From Sentries To Detectives

Ten years ago, IT security professionals were often seen as the guards at the gate – the people who were responsible for protecting corporate data and preventing cyber criminals from gaining access to enterprise systems. There was a perception of a defensible “perimeter” for each organization, and a relatively stable set of end user technologies to secure.

Today, the majority of security technologies and strategies assume that the enterprise has already been compromised. There is a heavy emphasis on the use of data forensics to ferret out sophisticated exploits hiding in the infrastructure, as well as incident response tools to detect and remediate compromises as soon as possible. Enterprises’ broader shift to technologies that are outside the IT department’s span of control – including cloud services and user-owned mobile devices – has virtually shattered the perimeter defense concept and forced the security team to spend most of its time searching for threats that have already penetrated the organizational walls.

The Shrinking Skills Pool

In 2006, a significant portion of the security team could be described as system administrators who spent much of their time onboarding new users, maintaining simple access controls, and administering passwords. While there were plenty of security thinkers and strategy architects, the demands on the average security pro were mostly around policy management and internal system defense – and while hiring was not easy, it was often possible to bring in an entry-level system administrator and teach them what they needed to know about more sophisticated threats and defenses over time.

Over the past decade, however, the rapid evolution of online threats – and the negative publicity received by companies that were breached – has generated a nearly-insatiable demand for more IT security talent. Not only does the industry need more bodies – some estimates say that as many as 1.5 million new security jobs will be created over the next five years – but the skills requirement has increased, as enterprises do less simple systems administration and more post-compromise analysis of incoming threats. If current trends are any indication, IT security will continue to remain a negative-unemployment industry for many years to come, and the most skilled people will generate the greatest demand.

The Erosion Of Layered Security

For many of the last ten years, IT security lived and died by the philosophy of “layered security,” which holds that an enterprise’s best defense is to challenge the attacker with an array of different defenses – firewalls, antivirus, intrusion detection/prevention, encryption, authentication, and many more – in an effort to discourage all but the most determined attackers. This strategy, sometimes called “defense in depth,” encouraged enterprises to purchase and implement a wide variety of security tools and practices, making it difficult for any single-vectored attack to get through.

However, after ten years of buying and deploying new security technologies and breaking new IT security spending records year after year, most security experts are beginning to wonder if the layered security philosophy is the best approach. The incidence and cost of data breaches continue to increase, and some business executives have begun to balk at the notion of continually increasing spending on technology and people without any guarantee of data security. Many enterprises and security experts are rethinking some of the basic precepts of IT security, though a clear new philosophy has yet to emerge.

Cybercrime Boom

In 2006, many security strategies were still predicated on the proliferation of viruses and worms such as Love and Code Red, which were designed to infect as many machines as possible and to gain notoriety for their creators. In some quarters, there was still a perception of hackers as teenagers working late at night in their basements, seeking approval from others online.

In fact, by 2006 the cybercrime market had already begun a massive shift toward an organized, underground economy that has continued to grow and flourish over the past decade. Malware developers create and sell their exploits in online forums — and support their products with upgrades, patches, and even 24-hour customer service. Criminals can rent botnets by the hour, or purchase long lists of valid credit cards at less than a dollar apiece. Recent estimates project that cybercrime costs will reach $2 trillion by 2019, and some law enforcement agencies say organized crime syndicates now make more money from cybercrime than from drugs or prostitution. Clearly, cybercrime is more lucrative than ever – and that trend bodes poorly for tomorrow’s IT security defenders.

Security Goes Public

When Dark Reading was launched in 2006, it carried only a few stories about security breaches, partly because laws requiring companies to disclose such breaches were only just going into effect. With the passage of breach disclosure laws in California – and subsequently, 47 other states – the extent of the cybersecurity problem became increasingly evident. The Identity Theft 

(Continued on Page 2) 

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech’s online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one … View Full Bio

Previous

1 of 2

Next

More Insights

Adobe Flash: 6 Tips for Blocking Exploit Kits

While Adobe does a good job patching exploits, there are additional steps security staffs can take to hedge their bets.

Previous

1 of 7

Next

Image Source: www.theregister.co.uk

There’s no rest for weary security managers and their teams of incident responders. A new report from NTT Group security company Solutionary found that Adobe Flash was by far the software most targeted by exploit kits in 2015.

An exploit kit is software that runs on web servers that targets vulnerabilities in client machines communicating with the server that then uploads malicious code on those clients.

Jon-Louis Heimerl, manager of Solutionary’s threat intelligence communication team, says that there was a steady increase in Adobe Flash exploit kits from 2012 to 2014, followed by a dramatic increase in 2015.

“There were 314 vulnerabilities identified in Adobe Flash in 2015, which represents a rate of one new vulnerability every 28 hours, and researchers have found 105 so far this year, for a rate of one new exploit every 33 hours,” Heimerl adds.

Heimerl explains that Flash now runs as a default on most computer systems and is supported across most modern operating systems, which makes it a prime target for bad threat actors.

For those looking to remove Adobe Flash from their systems, Heimerl recommends going to the adobe.com site and then find the search option on the upper right corner. Start typing “Flash uninstaller” and the page for the uninstaller will appear pretty quickly.

Going to the Adobe site is just as important for those who want to install Flash, he adds. “Don’t mess around with any page telling you to “install now,” just go directly to Adobe.com and get Flash from there on the lower right corner,” he explains.

Heimerl says while he personally does without Adobe Flash in many instances, it’s unrealistic to expect that most organizations will wean off such a popular program. Google recently announced it will no longer support Flash by default in Chrome, but they are the only company to make such an announcement. Here are six tips security managers can follow to reduce the risk of being the victim of an exploit kit.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Previous

1 of 7

Next

More Insights