After last week when several laptop OEMs, including Lenovo once again, were caught installing highly insecure bloatware on their laptop you might hope that this week would be different. Sadly you would be mistaken as once again software preinstalled on laptops is in the news. In this case it is ASUS Live Update which transmits requests for updates in plain text and does not check any software updates which come back for authenticity. This of course leaves you wide open for man in the middle attacks, where someone posing as those update servers could feed you whatever installation files they desired. As the pull quote from The Inquirer below states, removing it immediately would be a very good idea.
"My advice to anyone who purchased an Asus device: remove LiveUpdate. It's really that simple. If you're an IT administrator, find devices making periodic calls to Asus's domains and blackhole them, get the user to come and see you,"
Here is some more Tech News from around the web:
- Siemens Now Commands An Army Of Spider Robots @ Slashdot
- Quieting Scary Web Browser SSL Alerts @ Linux.com
- Microsoft thinks it's fixed Windows Server mess its last fix 'fixed' @ The Register
- AMD Technologies Revealed at Computex 2016 @ Tech ARP
- Computex 2016 Live Coverage Day 5 @ Tech ARP
- Computex 2016 Live Coverage Day 4 @ Tech ARP
“If you’re an IT
“If you’re an IT administrator, find devices making periodic calls to Asus’s domains and blackhole them, get the user to come and see you,”
Shutting network connectivity down on a corporate user with an Asus machine seems a tad extreme. Are their even any real world exploits? Sounds more like the security researcher using some scare tactics to justify their existence.
I’d do it in a second. Next
I'd do it in a second. Next thing you know someone spoofed your wireless SID, updated them with Cryptolocker and now your shares are encrypted.
Way smarter to remove the possibility than to risk it.
I think that for a lot of big
I think that for a lot of big corporate PC/laptop purchases that an enterprise approved custom UEFI/BIOS would need to be installed and the enterprise’s custom OS image installed. So for most midsize and large enterprise customers they can get customized PC/laptop SKUs from the OEMs’ enterprise divisions! But the smaller businesses and Mom and Pops need to be on the lookout for these machines.
Those UEFI/BIOS firmware shenanigans by the OEMs/M$/Others needs more regulatory oversight and specific laws made to ban the spyware practices for both consumer and enterprise PC/Laptop/other devices markets. There needs be some anti-bloatware laws/regulations on the books to prevent OEMs, and Vested OS/other interests, from using the user’s own hardware/firmware/OEM system software to spy on the end user. In the US people have a right to privacy and these unscrupulous OEM’s/OS makers should not be allowed to violate the end users privacy.