Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
BLACK FRIDAY DEAL: Trust the World's Fastest VPN with Your Internet Security & Freedom--A Lifetime Subscription of PureVPN at $48 with coupon code "BFRIDAY20" ×
Security Hardware

ASUS Delivers Its Updates Over HTTP With No Verification (softpedia.com) 77

The top five PC sellers have big security holes in the third-party tools which updates their software. Now Softpedia follows up with a report that "The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTTP and installs them without verifying the content's source or validity." An anonymous reader shares this report from developer Morgan Gangwere: "Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the "Administrators" NT group ("Highest Permissions" task scheduler).
Softpedia adds that "The attackers wouldn't even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish."
This discussion has been archived. No new comments can be posted.

ASUS Delivers Its Updates Over HTTP With No Verification

Comments Filter:
  • What about the following:

    1. The manufacturer publishes the updated firmware on their website
    2. The manufacturer notifies the OS vendors
    3. The OS vendors put the updated version of the firmware into their software repos

    The manufacturer doesn't have to reinvent any wheel here, and the update process is as secure and as convenient as the normal OS update process is for the OS you are using.

    • You left out everything that is wrong with the process. Updates should be delivered through an encrypted connection to prevent man in the middle attacks, and the files should be verified with hashes at the very least.

      • Exactly, but why should each hardware vendor have to write their own firmware updater program? The OS should take care of this, I don't want to have an extra program running just for the firmware updates.

        • Exactly, but why should each hardware vendor have to write their own firmware updater program? The OS should take care of this, I don't want to have an extra program running just for the firmware updates.

          What OS?
          We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.

          If would be reasonable to point a finger at say UEFI and say "Standardize a secure firmware replacement protocol and provide a reference implementation". But while OS vendors could be part of the recipe, the recipe needs to work without them.

          • We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.

            So you think its a good thing if the firmware connects to random places in the network, trying to install software? No thanks.

            If would be reasonable to point a finger at say UEFI and say "Standardize a secure firmware replacement protocol and provide a reference implementation". But while OS vendors could be part of the recipe, the recipe needs to work without them.

            Yeah, UEFI might be a good place to talk about this.

            Of course, it is a nice feature if you can update the firmware e.g. via an usb stick you put into the computer, and then you go to the BIOS menu and select "update firmware".

            But most people won't need it. Either way, the story was about some userspace windows program that probably sits in the tray bar and shows its splash screen if

            • We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.

              So you think its a good thing if the firmware connects to random places in the network, trying to install software? No thanks.

              That's clearly not what I said. I was questioning the absence of addressing the relevant issue of updating in the absence of an OS.
              I would expect some kind of signing so that the code it fetches from wherever it is pointed to either by the user or self configuration or malicious activity can be validated and the user told that status and the user given policy control over what to do about it. The user might be writing their own code and know it isn't signed by the board vendor, but most users want to know t

        • by iCEBaLM ( 34905 )

          You're just pushing the functionality down a level so instead of the user having the option to remove it or not, now the user has to have it because it's part of the OS.

        • by Lumpy ( 12016 )

          Or like ASUS does it, makes you burn a DOS boot CD to install the firmware..... no thanks.

          If they cant update the firmware from the host OS, then their programmers are zero talent hacks.

          • What the hell are you talking about? You can without a problem install a new firmware, with or without trojan, right out of Windows.

        • Why should every OS have to deal with firmware, something that SHOULD happen long before any OS is involved (yeah, I know that thanks to UEFI this safeguard has gone out the window now)?

          • Well its better than userspace programs dealing with firmware. AND it is better if the OS handles firmware upgrades than the firmware phoning home, completely separately from the OS.

            • The point is that neither is good. A firmware should be the final safeguard against being compromised. Last line of defense. And in this function, updating it should never be something that can happen without the user's knowledge.

              An UEFI update CAN happen without a user's knowledge. And that's dangerous.

        • And the OS should also handle installation of programs and keeping them up to date.

          Oh wait my computer has done this for over a decade. Love Linux's lack of useless install wizards. :)

  • In the absence of industry self-policing, maybe a couple of lawsuits over consequential damages resulting from such incompetent security design would help Asus understand what to do next...

    I mean, maybe you don't expect these kinds of manufacturers to have the security and hardware/software design teams of an Apple or IBM (or the sense of responsibility), but cmon this is ridiculous.
    • You'll first have to prove that you incurred actual damage because of this. Someone must actually get hacked by a man in the middle before they can sue Asus. Until that happens, they're in the clear.

  • I never had to update BIOS just so it can support my new CPU. Upgradeable firmware is just asking for trouble.

    • by Anonymous Coward

      I definitely recall boards that needed bios updates to support new generation of cpu.

  • by TheRealHocusLocus ( 2319802 ) on Sunday June 05, 2016 @07:29PM (#52256237)

    The other day my computer restarted from a power outage while the DSL connection was down, which means my annoying AT&T/Uverse modem eats all port 80/www traffic to redirect t its 'DSL Failed to Connect' HTML page.

    Imagine my astonished horror to see pieces of this modem-generated page in the AVG dialog [photobucket.com] (I put the red stuff in). The firewall 'button' on the product's main screen, and the dynamic ad it places on the bottom, also the notification it puts on the bottom-right of the screen on boot.

    So AVG is doing unencrypted HTTP to get its advertisements and HTML on-screen widgets. Click here [avg.com] to see their fake 'button' for the firewall which was visible to Wireshark. I understand when shareware does this... but AVG? An actual button on their product screen? WTF!

    I hope someone from AVG who knows security reads this because I let them know about this systemic problem it and they started asking me irrelevant questions about my setup.

    • I'm flummoxed here. One one hand, you're obviously smart and competent to be aware of such things. On the other, WTF MAN were you thinking??!!! AVG IS SHIT; and has been for years. Why??

      Might I recommend something like Bitdefender (my personal trusted favorite), Norton AV, or even Kaspersky?

      • I'm flummoxed here. One one hand, you're obviously smart and competent to be aware of such things. On the other, WTF MAN were you thinking??!!! AVG IS SHIT; and has been for years. Why?? Might I recommend something like Bitdefender (my personal trusted favorite), Norton AV, or even Kaspersky?

        Thanks for the heads-up. Yes, Bitdefender and Kaspersky are on my radar as excellent products (and av-comparatives.org agrees with you [av-comparatives.org]) and I guess I could say there's a great deal of loyalty in my choice. I've been following AVG the company since the days 'Stoned' was still making the rounds and they've been consistent. Like any PC tech, my clients have run the gamut of the corporate "Just give me the bottom line and I'll write you a check" ... to users who say "If I have to buy something else, it'll ha

        • Well my friend, times of changed. One thing I've learned about brand loyalty is that my loyalty changes when the underlying people that constitute the brand changes. So yes, AVG was great in the early mid 2000's, but now, succumbed to scummy tool-bar practices. Meanwhile, products such as ZoneAlarm, Lavasoft, and Spybot Search and Destroy have long been superseded by more advanced anti-malware products and advancements in newer Windows versions (7, 8 , Win10 etc).

          Time is money. While yes, you aim to provide

  • This updater may be broken and insecure, but why the hell would anyone trust an automatic updater to do stuff like BIOS or UEFI updates?

    This is like trusting a child with a handgun to play with and being shocked when someone gets shot.

    If there's an update like that, the user should be notified, and if so inclined, should go see if it's something they want to install at a time of their choosing. Perhaps first backing up your current BIOS or UEFI and perhaps doing a data backup too, just in case. Because, y

    • They really should not be done unless there is an actual problem that will actually be solved by the update.

      Given that many UEFI updates patch security flaws, it's a good idea to keep up to date. BIOS had its issues, but UEFI offers a much larger attack surface.

  • Next Generation (Score:5, Interesting)

    by ThatsNotPudding ( 1045640 ) on Monday June 06, 2016 @06:57AM (#52258315)
    This is why the Next Generation of Open Source *has* to be hardware.

    It is insane how much trust we still place in component manufacturers / assemblers that can easily be lazy, incompetent, compromised by TLAs of every country, or all three.
  • Sophos Antivirus's AutoUpdate feature flows over HTTP. This has been a known issue since 2013 and Sophos doesn't care [astaro.com].

The person who makes no mistakes does not usually make anything.

Working...