Slashdot Mirror

← Back to Stories (view on slashdot.org)

ASUS Delivers Its Updates Over HTTP With No Verification (softpedia.com)

Posted by EditorDavid on from the securing-the-perimeter dept.

The top five PC sellers have big security holes in the third-party tools which updates their software. Now Softpedia follows up with a report that "The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTTP and installs them without verifying the content's source or validity." An anonymous reader shares this report from developer Morgan Gangwere: "Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the "Administrators" NT group ("Highest Permissions" task scheduler).
Softpedia adds that "The attackers wouldn't even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish."

2 of 77 comments (clear)

  1. 60 minutes with a security professional by raymorris · · Score: 5, Insightful

    They certainly have the resources to hire people who understand security, but most companies don't. Here's something you might not expect to hear from a security professional such as myself - most companies probably SHOULDN'T hire a security expert. So they don't.

    Why would I say perhaps they shouldn't hire someone like me? Because it doesn't take 40 hours a week for me to say "serve the update over TLS and sign the file". I could protect them from this level of stupid in 1 hour, the other 39 hours they don't really NEED a security expert.

    IMHO what most companies should probably do is invite a security professional to join a web conference or meeting for 30 minutes to an hour at an early stage of a new software project, as the requirements are being firmed up. At this stage I'd hear "download updates" and I'd speak up.

    Then invite your security pro back as the design as finalized, then once more just before release. In no more than three hours a security pro could avoid this type of egregious mistake, while also pointing out a couple of areas that affect reliability (which is also part of security).

    This could cost $1,000 per project or even less if you engage your securiry pro on a regular basis. So you get 80% of the benefit of having a security professional on staff, at less than half the cost.

  2. Next Generation by ThatsNotPudding · · Score: 4, Interesting

    This is why the Next Generation of Open Source *has* to be hardware.

    It is insane how much trust we still place in component manufacturers / assemblers that can easily be lazy, incompetent, compromised by TLAs of every country, or all three.