Those problems with security holes in big PC makers’ software bundles? They might not be over yet. Duo Security says it found vulnerabilities in the update software for Acer, ASUS, Dell, HP and Lenovo. Some vendors were more secure than others in Duo’s testing, but all of them were insecure enough that you could launch a man-in-the-middle attack and run your own code. In the worst cases, they’d send update data without any encryption or validation.
Also, don’t think that you’re safe by springing for one of Microsoft’s cleaner Signature Edition versions of these PCs. Duo says that some of these models still have vendor update software, so you might be in the same boat as someone who bought the garden variety PC.
We’ve asked all five companies for comment, and we’ll let you know what they say. However, Duo adds that the research took place between last October and this April, which suggests that some of the holes might have already been patched up. Dell already said that it would tackle the eDellroot flaw that created a minor panic last year, for example. Even if there’s more fuss than necessary, though, this is a reminder that your PC’s operating system is only part of the security puzzle — you have to be mindful of third-party apps, too.