PC makers blasted for bad bloatware security

A study of software bundled by large PC vendors on their machines has found that the bloatware apps leave users exposed to easily exploitable vulnerabilities while being of little use to customers.

The research arm of infosec firm Duo Security, Duo Labs, looked at how well vendors secure updaters for their value-added bloatware, and found that each original equipment manufacturer shipped software with at least one serious vulnerability.

Its report [pdf] found the vulnerabilities could be used for man-in-the-middle interception and remote code execution that would give attackers full access to victims' computers.

A total of 12 serious vulnerabilities were found in the OEM updaters, affecting PCs from well-known brands such as Dell, HP, Asus, Acer and Lenovo.

This careless attitude to bloatware security created large attack surfaces that were easy to find and exploit, Duo Labs said.

"The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial," the researchers wrote.

In particular, OEMs failed to make even basic use of Transport Layer Security (TLS) encryption and connection authentication for the updaters, Duo Labs said.

Few made an effort to validate the integrity of updates on users' computers, or tried to verify the authenticity of the manifest for the patches.

Even Microsoft Signature Edition PCs, which are supposedly free from bloatware and which are sold on the premise of being faster and safer than standard OEM systems, contain third-party update tools, tthe researcherrs said.

The Duo Labs report shows that despite widespread negative publicity around OEM bloatware security gaffes such as the eDellRoot fake SSL certificate and Lenovo shipping the insecure Superfish adware on its PCs, vendors continue to expose customers to vulnerabilities.