Computers, especially laptops, sometimes need vendor specific drivers. For years, these have been conveniently included with OEM bundles of Microsoft Windows.
But redundant garbage, like pre-installed browser toolbars, anti-virus trials and media players have all been an all too common eyesore for over a decade. Last year, Lenovo and Dell one-upped this game by distributing downright malicious SSL man-in-the-middle software, Glassfish and eDellRoot. This is simply unacceptable behavior.
Thanks to a new study by Duo Security, we now also know that well-known PC brands are failing their customers with insecure vendor specific update utilities. No checking of file integrity, no looking for signatures verifying the origins of downloads. These updaters also use insecure delivery of update lists, manifests. Even crazier: manifests may allow for automatic and unattended installation of software.
Making matters even worse, several systems ignore all of the security benefits in modern Windows versions by running with full System privileges. As a bonus, all systems included vulnerabilities that cause arbitrary remote code execution
Even “Signature Edition” PCs, explicitly marketed as free of unwanted nonsense, usually come with these updaters.
Changes to these practices have been promised from several PC vendors after the release of this study. But frankly, we should get rid of all this, right now. But how?
Too close to home
Bigger organizations can rely on IT departments that install streamlined, volume licensed copies of Windows without extra cruft. Our very own Miradore Management Suite is a superb addition to the toolbox of any pro involved in this, and it’s quite suitable for managing the machines of numerous small business customers.
At Miradore, we think bad OEM software should be a major concern for small businesses and home users without IT staff. Many small businesses are limited to purchasing and support from consumer electronics stores.
In professional IT, calling something consumer-level is more or less a slur. This is worth thinking about the next time you see cheapo laptops or Wi-Fi gear at the small office of a doctor, dentist, therapist, psychiatrist or lawyer. These small businesses happen to handle some of our most intimate and personal information!
What we hope for is that Managed Service Providers around the world see an opportunity in offering attractive small business IT services in their local communities. Pricing is an issue, but with data breach disclosure legislation on the horizon across the EU, spending a small monthly fee to have a clean and maintained Windows PC should become increasingly attractive.
But what exactly is the big deal here? Read on for an explanation of why it’s imperative to act upon Duo Security’s findings.
Signing code as a piece of the security puzzle
Duo Security confirms that PC updaters neglect safeguards like integrity checks for downloaded files. As pointed out by Duo’s paper, serious systems like Microsoft’s own Windows Update require very intricate methods to be subverted, like the Flame virus in 2012. So do the likes of Google Chrome’s and Mozilla’s updaters, the latter of which was indeed attacked in 2006 before it was fixed.
In this context, the term “signing” refers to using variations of public key crypto and hashing algorithms to create unique checksums for items, like documents, programs or e-mail messages. For instance, when a hash is available (from a secure source), it can detect even a single bit of changed data.
But don’t we all download basic software like Google Chrome and VLC player when we install a new computer? And most of us don’t check any hashes manually, do we? We don’t. And this is problematic.
Luckily, operating systems have started integrating warnings when we install apps and drivers that haven’t been signed by the publisher, or when signatures don’t match. But this is far from bulletproof, starting with how many users won’t pay any attention to warnings.
With restricted App Stores, these checks are part of the process. A vaguely similar model of centralized repositories for apps has long been used by Linux distributions, sans lock-in.
Exploiting incapable updaters?
So, how would a bad guy exploit insecure software updaters? Sure, downloading arbitrary code and maybe installing it sounds bad. But could this be one of those cases that only applies to people with serious paranoia?
We don’t think so.
First of all, big things are at stake with bad updates. By now, when an increasing number of people understand that updates are important for security, our industry can’t afford to raise suspicion about installing them.
The conversion rate for users manually installing vendor provided driver updates on their laptops are certainly lower than Windows Updates, especially after Windows 10 defaulting to force feeding them. Yet, there are millions and millions of people using these brand name computers running insecure updaters. Cybercriminals are probably interested.
Toolkits for destruction
Malicious software distributors are increasingly supported by polished products that provide ready to customize toolkits and frameworks – like all developer tools.
Windows is becoming increasingly secure by design and aggressive about updates. But we live surrounded by infrastructure that runs out of date, haphazardly thrown together code. When we let our increasingly secure operating systems be tainted by such code, we’re negating all industry advancement.
So, starting with the basics. If a user with limited user rights downloads and runs a piece of software that somehow manages to talk to a faulty updater utility, the whole system is at risk.
But for criminals, it will increasingly make sense to create tools that can target devices we don’t even think about, like Wi-Fi routers. When devices like these have their unmaintained firmware infected with malware in our homes, favorite coffee shops, or airports, they can be automatically configured to mess with all local network users.
This is far from difficult. DNS, name server queries are easy to control if you master network infrastructure. In fact, they’re used for all kinds of filtering, blocking and censorship.
So, with defective updaters, devices can be fooled to fetch faulty update information, which could launch arbitrary code automatically. To obscure this behavior, such attacks could be targeted by the vendor ID in MAC/Hardware addresses on Ethernet/Wi-Fi cards. Commercial and open source networking software already have databases of vendor IDs. Some (like pfSense) can detect the operating systems and create rules based on that.
These examples alone are probably enough to prove why locally exploitable software is a huge issue. For some truly hair raising summer reading, we warmly recommend reading the entire study from Duo Securitt (pdf). If your small business relies on Windows computers, the actionable advice we can offer is to investigate how tools like Miradore Management Suite can help you deploy untainted versions of Windows on fleets of PCs.
Title photo by Hobvias Sudoneighm.