
Out-Of-Box Exploitation: A Security Analysis of OEM Updaters - ctoth
https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters
======
slipstream-
I've found enough issues in OEM-preinstalled/OEM-provided stuff that this
isn't a surprise at all. (most have been fixed by now, at least. Not sure
about the Asus one, as that got reported by someone else over a year prior to
my full disclosure.)

[http://lizardhq.org/2015/11/25/dell-foundation-
services.html](http://lizardhq.org/2015/11/25/dell-foundation-services.html)

[http://lizardhq.org/2015/12/01/dell-foundation-
services.2.ht...](http://lizardhq.org/2015/12/01/dell-foundation-
services.2.html)

[http://lizardhq.org/2015/12/05/dell-system-
detect.html](http://lizardhq.org/2015/12/05/dell-system-detect.html)

[http://lizardhq.org/2015/12/05/lenovo.html](http://lizardhq.org/2015/12/05/lenovo.html)

[http://lizardhq.org/2015/12/05/toshiba-service-
station.html](http://lizardhq.org/2015/12/05/toshiba-service-station.html)

[https://rol.im/asux/](https://rol.im/asux/)

------
ivl
Really, this shouldn't come as a surprise. At this point, pre-loaded systems
just aren't worth trusting. Better to remove them entirely and start from
square one. It's a pain, but until consumers put more pressure on
manufacturers, it'll continue being an issue. I'd honestly like to see MS
force clean installs, limited only to driver's as an option, as this bloatware
is just a huge security flaw, and something that lessens the machine.

~~~
cpach
It’s pretty amazing that Microsoft lets the OEMs tarnish the Windows brand
with this shady business.

~~~
MichaelGG
Well with Windows 8 and now 10, MS is tarnishing their brand, albeit it in
different ways. The uncertainty over what MS does and inability to shut it off
(apparently updates undo settings?) is why I still don't use W10. :\

~~~
JamesSwift
I'm in the same boat, and just want to add that they encourage that feeling to
stay away in me by doing the same in my win 8.1 install. I have to 'ignore
this update' for the windows 10 update (kb 3035583 I think) every single time
I 'check for updates'. Seriously?

------
CWuestefeld
Maybe I'm just slow, but their chart seems perfectly ambiguous to me. I can't
figure out whether "red X" means "it's bad", or "green check" means "we
successfully hacked it".

~~~
slipstream-
The former; red X means it's bad.

------
nickpsecurity
Quite expected. I'd like to see them review uLoad and stuff like it, though.
Show us if they're really any better.

[http://cypherbridge.com/ProductsServices.html](http://cypherbridge.com/ProductsServices.html)

------
jbaviat
The Notary framework from Docker allows to securely distribute binary content.
That would benefit many services...

[https://github.com/docker/notary](https://github.com/docker/notary)

------
0x0
It's incredible that (some?) Microsoft Signature Edition builds also are
vulnerable. Isn't being "clean" the entire purpose of this edition?

~~~
slipstream-
Being "clean" doesn't help when OEM drivers have security issues too (example:
[https://rol.im/asux/](https://rol.im/asux/) )

~~~
MichaelGG
I'm more upset that drivers can download full programs. I plugged in a mouse,
Windows did its thing, then I was greeted with a big "leet graphics"
registration window.

------
uniqueacct1234
Someone should take a look at the update services for Microsoft Office for Mac
which still does chunks over HTTP as well...

------
Animats
How about Ubuntu's updater? Any problems there?

~~~
djsumdog
On Linux systems you'll see a mix of apt-get (debs), yum/zipper (rpm systems),
emerge (gentoo/funtoo based systems), etc.

All of the ones I've mentioned have certificate based checking for the
repository lists. They're verified when they sync. If you want to add a new
repository, you typically have to import their key (don't think this is the
case with Gentoo overlays in layman, but I'm not sure).

Most systems used signed packages too, or at a minimum they verify the SHA
sums.

There have been exploits found and you can search through the bug trackers for
each distribution to find them. If you find any new ones, most distros have
bug bounty programs too.

There are probably some other exploits out there, but in general Linux package
managers are pretty good about verifying package manifests and packages before
installing them.

------
Justsignedup
Well since every day is a slow news day, and this is great headline-grabbing
and panic inducing information, we need to get this on network news.

