Most major PC makers are shipping their desktops and notebooks with pre-installed software, which researchers say is riddled with security vulnerabilities.
A highly-critical report by Duo Security released Tuesday said Acer, Asus, Dell, HP and Lenovo all ship with software that contains at least one vulnerability, which could allow an attacker to run malware at the system-level — in other words, completely compromising an out-of-the-box PC.
The group of PC makers accounted for upwards of 38 million PCs shipped in the first quarter of the year, according to estimates garnered from IDC’s latest count.
The vast majority of those will be sold to consumers, and most of those will come with some level of system tool used to monitor the computer’s health or processes. This so-called bloatware — also known as junkware or crapware — is preinstalled software that lands on new PCs and laptops, and some Android devices. Often created by the PC maker, it’s usually deeply embedded in the system and difficult to remove.
PC makers install the software largely to generate money on low-margin products, despite it putting system security at risk.
“We broke all of them,” said Duo researchers in a blog post. “Some worse than others.”
Every PC maker that was examined had at least one flaw that could have let an attacker grab personal data or inject malware on a system through a man-in-the-middle attack.
One of the biggest gripes was the lack of TLS encryption used by the PC makers, which creates a secure tunnel for files and updates to flow over. Updating over HTTPS makes it difficult, if not impossible, to carry out man-in-the-middle attacks.
Of the flaws, Acer and Asus scored the worst with signed manifest and update files over unencrypted connections, potentially allowing an attacker to inject malware code as it’s being downloaded. By not using code-signing checks, an attacker can trivially modify or replace files and manifests in transit, said the corresponding report.
The flaws are such easy targets, the researchers said the “average potted plant” could exploit the flaws.
Duo’s researchers found a total of 12 separate vulnerabilities, with half of those rated “high,” indicating a high probability of exploitation.
Most of higher-priority flaws were fixed, but Asus and Acer have yet to offer updates.
The researchers said users should wipe and reinstall “a clean and bloatware-free copy of Windows before the system is used, otherwise, reducing the attack surface should be the first step in any system-hardening process.”
We’re reaching out to the companies for comment — and we’ll update if we hear back.