OEM Bloatware is Still a Security Problem

On May 31st, researchers from Duo Labs published a report detailing the bloatware found on ten new laptops. Bloatware is extra software added by Original Equipment Manufacturers (OEM) before a computer is sold. Often this bloatware is slow, useless and difficult to remove. Some may remember last year’s Superfish and eDellRoot fiascoes. 

Lenovo’s Superfish adware was vulnerable to man-in-the-middle attacks, even through encrypted communications. (I mentioned Superfish during our March podcast) eDellRoot is a preinstalled, self-signed root certificate which could be used to issue other certificates, spoof websites or perform phishing or man-in-the-middle attacks.

The researchers discovered and privately disclosed a dozen vulnerabilities, half of which were high-severity. As of the report:
  • Asus and Acer have not patched their reported vulnerabilities
  • HP has patched four of seven vulnerabilities
  • Lenovo will remove their affected software starting late Jun
  • Dell has quietly updated some of the flaws, and has mitigated others
OEM software tends to have system-level privileges, meaning the software is unaffected by any security protections on the machine. An attacker who can compromise such a level of access will have full control of the machine, and might be impossible to remove. Although they can be a good way for OEMs to make a bit of extra money to offset production costs, OEMs need to take steps to ensure that poorly written software won’t leave users vulnerable.

Duo Labs’ full report can be found here.