After major bloatware security flaws were uncovered last year in Dell and Lenovo PCs, the two manufacturers quickly apologized and fixed the holes. Or so we thought. A new report found that multiple vulnerabilities still exist in the bloatware installed on consumer PCs from five major manufacturers, including Dell and Lenovo.
Researchers at Duo security examined the OEM software installed on new consumer laptops and desktops from Acer, Asus, Dell, HP, and Lenovo. They were looking for man-in-the-middle exploits like Superfish, a bit of adware that made headlines last year because it allowed third-party access to a user's browser data.
What the researchers found is unsettling but perhaps unsurprising: in addition to hogging the resources of new PCs with unwanted trials and desktop shortcuts, bloatware is an easy-to-open backdoor for hackers to steal user data.
Duo uncovered two such backdoors each in Acer and HP software, while the other manufacturers each had one. Dell's was the eDellRoot certificate, whose vulnerabilities were exposed last year. The company offered a removal tool but continues to include the certificate
on new PCs.
While eDellRoot doesn't allow arbitrary code execution, each of the other vulnerabilities do. That makes them among the most dangerous security flaws, since hackers who can remotely execute code may be able to take control of an entire system.
"Security researchers have always known that consumer laptops sold in the big box stores were vulnerable to hackers," Duo researcher Darren Kemp said in a statement. "Vulnerabilities are present because these machines are loaded with third-party programs and bloatware that are not sufficiently reviewed for security. We were just surprised at how bad these add-ons made things once we began our investigation."
The best remedy is to immediately uninstall all third-party software whenever you buy a new PC, Duo said. You could also consider a "Signature Edition" PC from Microsoft, which ship free of bloatware, though they sometimes still include OEM-supplied software updaters and support packages.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
