Asus appears to be one of the worst OEMs we looked at, providing attackers with functionality that
can only be referred to as remote code execution as a service. The “Asus Live Update” software con-
tains no security features whatsoever, allowing for easy exploitation. Oh yeah, we should probably
mention they use this atrocity to push out BIOS updates too.
Useful advice…
Mitigating Strategies
Short of explicitly disabling updaters and removing OEM components altogether, the end user can
do very little to protect themselves from the vulnerabilities created by OEM update components. But
here’s what we recommend for users:
Wipe any OEM system, and reinstall a clean and bloatware-free copy of Windows before
the system is used. Otherwise, reducing the attack surface should be the first step in any
system-hardening process.
Identify unwanted unnecessary software and disable or uninstall it — more complexity gen-
erally results in more security flaws, it’s a simple numbers game.
Purchasing Microsoft Signature Edition systems may be beneficial, but not guaranteed to
protect end users to flaws in OEM software altogether.
Dell, HP and Lenovo vendors (in specific cases) appeared to perform more security due dili-
gence when compared to Acer and Asus.
While I haven’t done an in depth analysis, the Debian / Ubuntu updating infrastructure seems to do all the right things demanded by the authors. (Although if I understand it correctly, Debian relies on signing, validation and integrity checks rather than TLS, but since it does it properly the result is stronger rather than weaker.)
So a simple solution is “Install Ubuntu/Debian”.
However that does leave a gap… How do you securely update the BIOS? And given that UEFI bios’s these days are larger monsters than DOS ever was, that might become an issue.
Blog post summary: https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters
Useful advice…
While I haven’t done an in depth analysis, the Debian / Ubuntu updating infrastructure seems to do all the right things demanded by the authors. (Although if I understand it correctly, Debian relies on signing, validation and integrity checks rather than TLS, but since it does it properly the result is stronger rather than weaker.)
So a simple solution is “Install Ubuntu/Debian”.
However that does leave a gap… How do you securely update the BIOS? And given that UEFI bios’s these days are larger monsters than DOS ever was, that might become an issue.