Slashdot Mirror

← Back to Stories (view on slashdot.org)

ASUS Delivers Its Updates Over HTTP With No Verification (softpedia.com)

Posted by EditorDavid on from the securing-the-perimeter dept.

The top five PC sellers have big security holes in the third-party tools which updates their software. Now Softpedia follows up with a report that "The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTTP and installs them without verifying the content's source or validity." An anonymous reader shares this report from developer Morgan Gangwere: "Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the "Administrators" NT group ("Highest Permissions" task scheduler).
Softpedia adds that "The attackers wouldn't even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish."

8 of 77 comments (clear)

  1. Re:There's a problem here? by Anonymous Coward · · Score: 2, Funny

    1) Brand loyalty like sports team;
    2) Unsolicited desire to talk about anal sex;
    3) Condescending tone -

    Apple user detected.

  2. suggestion by supernova87a · · Score: 2

    In the absence of industry self-policing, maybe a couple of lawsuits over consequential damages resulting from such incompetent security design would help Asus understand what to do next...

    I mean, maybe you don't expect these kinds of manufacturers to have the security and hardware/software design teams of an Apple or IBM (or the sense of responsibility), but cmon this is ridiculous.

    1. Re:suggestion by michelcolman · · Score: 2

      You'll first have to prove that you incurred actual damage because of this. Someone must actually get hacked by a man in the middle before they can sue Asus. Until that happens, they're in the clear.

  3. Re:What about by TechyImmigrant · · Score: 2

    Exactly, but why should each hardware vendor have to write their own firmware updater program? The OS should take care of this, I don't want to have an extra program running just for the firmware updates.

    What OS?
    We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.

    If would be reasonable to point a finger at say UEFI and say "Standardize a secure firmware replacement protocol and provide a reference implementation". But while OS vendors could be part of the recipe, the recipe needs to work without them.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  4. Re:What about by NotInHere · · Score: 2

    We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.

    So you think its a good thing if the firmware connects to random places in the network, trying to install software? No thanks.

    If would be reasonable to point a finger at say UEFI and say "Standardize a secure firmware replacement protocol and provide a reference implementation". But while OS vendors could be part of the recipe, the recipe needs to work without them.

    Yeah, UEFI might be a good place to talk about this.

    Of course, it is a nice feature if you can update the firmware e.g. via an usb stick you put into the computer, and then you go to the BIOS menu and select "update firmware".

    But most people won't need it. Either way, the story was about some userspace windows program that probably sits in the tray bar and shows its splash screen if you log in, one which apparently used HTTP to download the firmware update.

    I think life is better if you don't need to have such a program on your computer. Even if you aren't annoyed by some process using up your RAM and so on, you might get into trouble if you install BSD or linux or Haiku OS or anything else and there is no version of the firmware updater available.

  5. 60 minutes with a security professional by raymorris · · Score: 5, Insightful

    They certainly have the resources to hire people who understand security, but most companies don't. Here's something you might not expect to hear from a security professional such as myself - most companies probably SHOULDN'T hire a security expert. So they don't.

    Why would I say perhaps they shouldn't hire someone like me? Because it doesn't take 40 hours a week for me to say "serve the update over TLS and sign the file". I could protect them from this level of stupid in 1 hour, the other 39 hours they don't really NEED a security expert.

    IMHO what most companies should probably do is invite a security professional to join a web conference or meeting for 30 minutes to an hour at an early stage of a new software project, as the requirements are being firmed up. At this stage I'd hear "download updates" and I'd speak up.

    Then invite your security pro back as the design as finalized, then once more just before release. In no more than three hours a security pro could avoid this type of egregious mistake, while also pointing out a couple of areas that affect reliability (which is also part of security).

    This could cost $1,000 per project or even less if you engage your securiry pro on a regular basis. So you get 80% of the benefit of having a security professional on staff, at less than half the cost.

  6. AVG uses INSECURE connections too. by TheRealHocusLocus · · Score: 2

    The other day my computer restarted from a power outage while the DSL connection was down, which means my annoying AT&T/Uverse modem eats all port 80/www traffic to redirect t its 'DSL Failed to Connect' HTML page.

    Imagine my astonished horror to see pieces of this modem-generated page in the AVG dialog (I put the red stuff in). The firewall 'button' on the product's main screen, and the dynamic ad it places on the bottom, also the notification it puts on the bottom-right of the screen on boot.

    So AVG is doing unencrypted HTTP to get its advertisements and HTML on-screen widgets. Click here to see their fake 'button' for the firewall which was visible to Wireshark. I understand when shareware does this... but AVG? An actual button on their product screen? WTF!

    I hope someone from AVG who knows security reads this because I let them know about this systemic problem it and they started asking me irrelevant questions about my setup.

    --
    <blink>down the rabbit hole</blink>
  7. Next Generation by ThatsNotPudding · · Score: 4, Interesting

    This is why the Next Generation of Open Source *has* to be hardware.

    It is insane how much trust we still place in component manufacturers / assemblers that can easily be lazy, incompetent, compromised by TLAs of every country, or all three.