Gadgets News Technology

Your big-name PC may have a security flaw in its update software

Written by Jon Fingas

Reuters/Carlo Allegri

Those problems with security holes in big PC makers’ software bundles? They might not be over yet. Duo Security says it found vulnerabilities in the update software for Acer, ASUS, Dell, HP and Lenovo. Some vendors were more secure than others in Duo’s testing, but all of them were insecure enough that you could launch a man-in-the-middle attack and run your own code. In the worst cases, they’d send update data without any encryption or validation.

Also, don’t think that you’re safe by springing for one of Microsoft’s cleaner Signature Edition versions of these PCs. Duo says that some of these models still have vendor update software, so you might be in the same boat as someone who bought the garden variety PC.

We’ve asked all five companies for comment, and we’ll let you know what they say. However, Duo adds that the research took place between last October and this April, which suggests that some of the holes might have already been patched up. Dell already said that it would tackle the eDellroot flaw that created a minor panic last year, for example. Even if there’s more fuss than necessary, though, this is a reminder that your PC’s operating system is only part of the security puzzle — you have to be mindful of third-party apps, too.

[embedded content]

About the author

Jon Fingas

4 Comments

  • No need to worry about malware getting on my computer! My antivirus program, Bitdefender, is so god damn annoying I don’t think I would even notice the presence of a virus.

  • Ok. research done. The full source is here.
    https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf
    Going through that it looks like Duo did conclude that OEM updaters could find their way onto signature edition devices in some cases, but they were only able to identify issues with some HP devices (it doesn’t look like compromising software was found on signature edition devices from other OEMs). That’s a little more helpful. 🙂
    Microsoft might want to re-evaluate what they let HP get away with.

  • Another in a long list of reasons to only purchase signature edition installs from the Microsoft Store, and removing any remaining vendor programs that might have slipped through.

Leave a Comment