ASUS Delivers Its Updates Over HTTP With No Verification (softpedia.com) 77
The top five PC sellers have big security holes in the third-party tools which updates their software. Now Softpedia follows up with a report that "The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTTP and installs them without verifying the content's source or validity." An anonymous reader shares this report from developer Morgan Gangwere: "Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the "Administrators" NT group ("Highest Permissions" task scheduler).
Softpedia adds that "The attackers wouldn't even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish."
Softpedia adds that "The attackers wouldn't even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish."
Re: (Score:2, Funny)
1) Brand loyalty like sports team;
2) Unsolicited desire to talk about anal sex;
3) Condescending tone -
Apple user detected.
Re: (Score:2)
And what about all the people that suffer from the botnets created by this vulnerability?
What about (Score:2)
What about the following:
1. The manufacturer publishes the updated firmware on their website
2. The manufacturer notifies the OS vendors
3. The OS vendors put the updated version of the firmware into their software repos
The manufacturer doesn't have to reinvent any wheel here, and the update process is as secure and as convenient as the normal OS update process is for the OS you are using.
Re: (Score:2)
You left out everything that is wrong with the process. Updates should be delivered through an encrypted connection to prevent man in the middle attacks, and the files should be verified with hashes at the very least.
Re: (Score:2)
Exactly, but why should each hardware vendor have to write their own firmware updater program? The OS should take care of this, I don't want to have an extra program running just for the firmware updates.
Re: (Score:3)
Exactly, but why should each hardware vendor have to write their own firmware updater program? The OS should take care of this, I don't want to have an extra program running just for the firmware updates.
What OS?
We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.
If would be reasonable to point a finger at say UEFI and say "Standardize a secure firmware replacement protocol and provide a reference implementation". But while OS vendors could be part of the recipe, the recipe needs to work without them.
Re: (Score:3)
We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.
So you think its a good thing if the firmware connects to random places in the network, trying to install software? No thanks.
If would be reasonable to point a finger at say UEFI and say "Standardize a secure firmware replacement protocol and provide a reference implementation". But while OS vendors could be part of the recipe, the recipe needs to work without them.
Yeah, UEFI might be a good place to talk about this.
Of course, it is a nice feature if you can update the firmware e.g. via an usb stick you put into the computer, and then you go to the BIOS menu and select "update firmware".
But most people won't need it. Either way, the story was about some userspace windows program that probably sits in the tray bar and shows its splash screen if
Re: (Score:2)
We're talking about firmware that exists on the computer independent of any operating system. That firmware is needed to boot OS install media. You need to be able to update it without an OS present.
So you think its a good thing if the firmware connects to random places in the network, trying to install software? No thanks.
That's clearly not what I said. I was questioning the absence of addressing the relevant issue of updating in the absence of an OS.
I would expect some kind of signing so that the code it fetches from wherever it is pointed to either by the user or self configuration or malicious activity can be validated and the user told that status and the user given policy control over what to do about it. The user might be writing their own code and know it isn't signed by the board vendor, but most users want to know t
Re: (Score:2)
You're just pushing the functionality down a level so instead of the user having the option to remove it or not, now the user has to have it because it's part of the OS.
Re: (Score:2)
Well a sane OS will give the user the option to disable it.
Re: (Score:2)
The BIOS has no care what operating system is installed, nor should it.
So why should the BIOS updates depend on an userspace program?? There is no such thing as OS independent userspace programs, so every updater the hardware manufacturer can ever write will require some OS to be installed.
You are suggesting microsoft, apple, redhat, BSD, etc. should make an updater for every type of hardware out there, even the ones they don't know about.
There should be some standardized interface where the OS can present the BIOS a firmware image and if the BIOS verifies the signature then it will install it. There is no need for some userspace program filling up the system tray and connecting each 30 minutes with some hardware vendor serve
Re: (Score:2)
Or like ASUS does it, makes you burn a DOS boot CD to install the firmware..... no thanks.
If they cant update the firmware from the host OS, then their programmers are zero talent hacks.
Re: (Score:2)
What the hell are you talking about? You can without a problem install a new firmware, with or without trojan, right out of Windows.
Re: (Score:2)
Why should every OS have to deal with firmware, something that SHOULD happen long before any OS is involved (yeah, I know that thanks to UEFI this safeguard has gone out the window now)?
Re: (Score:2)
Well its better than userspace programs dealing with firmware. AND it is better if the OS handles firmware upgrades than the firmware phoning home, completely separately from the OS.
Re: (Score:2)
The point is that neither is good. A firmware should be the final safeguard against being compromised. Last line of defense. And in this function, updating it should never be something that can happen without the user's knowledge.
An UEFI update CAN happen without a user's knowledge. And that's dangerous.
Re: (Score:2)
And the OS should also handle installation of programs and keeping them up to date.
Oh wait my computer has done this for over a decade. Love Linux's lack of useless install wizards. :)
suggestion (Score:3)
I mean, maybe you don't expect these kinds of manufacturers to have the security and hardware/software design teams of an Apple or IBM (or the sense of responsibility), but cmon this is ridiculous.
Re: (Score:2)
You'll first have to prove that you incurred actual damage because of this. Someone must actually get hacked by a man in the middle before they can sue Asus. Until that happens, they're in the clear.
Re: (Score:2)
it would still be hard to show damages.
a much more effective way of getting this fixed would be to write code which deletes key system files on their machine and replaces them with the message you suggested. you could even fund your charity-hacking by scanning the drive for poorly-encrypted account information and bitcoin wallets, or by encrypting personal files and holding them ransom!
Re: (Score:2)
TRIGGER WARNING: YOU WERE MOLESTED AS A CHILD.
I was molested as a child? I never knew...this explains so much...
Re: (Score:2)
Hmm, talking behind your back? Wouldn't that be private messaging?
Posting on a public forum that you are known to read is not, and never could be described as talking behind your back. Are you delusional APK?
Re: (Score:2)
That's 1.
https://slashdot.org/comments.... [slashdot.org]
Re: (Score:2)
If you can build a mass market laptop, you have the talent to implement a secure install process at least that an above-average high school programmer could write, and would make a second rate undergraduate project at best.
My conclusion must therefore be that this is intentional: because those who control the company, for whatever reason, desire an environment where the user enjoys no security.
Or have at least created an environment where both a white hat and US-CERT are told to "go away."
Re: (Score:2)
asus is taiwanese. i doubt that they have a whole lot of love for "the usual Chinese MO".
60 minutes with a security professional (Score:5, Insightful)
They certainly have the resources to hire people who understand security, but most companies don't. Here's something you might not expect to hear from a security professional such as myself - most companies probably SHOULDN'T hire a security expert. So they don't.
Why would I say perhaps they shouldn't hire someone like me? Because it doesn't take 40 hours a week for me to say "serve the update over TLS and sign the file". I could protect them from this level of stupid in 1 hour, the other 39 hours they don't really NEED a security expert.
IMHO what most companies should probably do is invite a security professional to join a web conference or meeting for 30 minutes to an hour at an early stage of a new software project, as the requirements are being firmed up. At this stage I'd hear "download updates" and I'd speak up.
Then invite your security pro back as the design as finalized, then once more just before release. In no more than three hours a security pro could avoid this type of egregious mistake, while also pointing out a couple of areas that affect reliability (which is also part of security).
This could cost $1,000 per project or even less if you engage your securiry pro on a regular basis. So you get 80% of the benefit of having a security professional on staff, at less than half the cost.
Re: (Score:2)
In reality they have hundreds of these conversations and the updates were an add-on at the end. It's never a 30 minute engagement and besides, if you were actually a security consultant* you'd know the cost of sales for a 1 hour engagement means you won't get anyone that's not completely useless to sign on for that. I've never even seen a contract for a /day/ and you're suggesting 3x 1 hour engagements? That's laughable.
That's not to say outsourcing security is a bad idea, but your proposal sucks.
*I have no
How's that old model working out? (Score:2)
I am familiar with the old model, used by most large corporations. How well has that been working?
I'm also familiar with what I've been DOING for the last 20 years, a model that is commonplace in certain sectors.
> you won't get anyone that's not completely useless to sign on for that. ...
> *I have no idea what your security expertise might be, but you clearly know jack about consulting.
If you haven't been paying attention to Slashdot comments over the years, you can use Google to check out my crede
Re: (Score:2)
Ray Morris is a bit too common a name to Google.
I've done the SME model too, and it sucks, and they simply don't get hired by government/large corporations because their boards would crucify management if something went wrong.
Remember, you're talking about a company with revenue in the billions.
Re: (Score:2)
jojoba oil is used in a lot of things, both industrial and cosmetic.
Re: (Score:2)
https://en.wikipedia.org/wiki/... [wikipedia.org]
Jojoba oil Listeni/hhob/ is the liquid produced in the seed of the Simmondsia chinensis (Jojoba) plant, a shrub, which is native to southern Arizona, southern California, and northwestern Mexico.
Not sure what Wikipedia article you read, but I don't see anywhere in there a mention of goat nuts.
UEFI is a horrible mess (Score:1)
I never had to update BIOS just so it can support my new CPU. Upgradeable firmware is just asking for trouble.
Re: (Score:1)
I definitely recall boards that needed bios updates to support new generation of cpu.
AVG uses INSECURE connections too. (Score:3)
The other day my computer restarted from a power outage while the DSL connection was down, which means my annoying AT&T/Uverse modem eats all port 80/www traffic to redirect t its 'DSL Failed to Connect' HTML page.
Imagine my astonished horror to see pieces of this modem-generated page in the AVG dialog [photobucket.com] (I put the red stuff in). The firewall 'button' on the product's main screen, and the dynamic ad it places on the bottom, also the notification it puts on the bottom-right of the screen on boot.
So AVG is doing unencrypted HTTP to get its advertisements and HTML on-screen widgets. Click here [avg.com] to see their fake 'button' for the firewall which was visible to Wireshark. I understand when shareware does this... but AVG? An actual button on their product screen? WTF!
I hope someone from AVG who knows security reads this because I let them know about this systemic problem it and they started asking me irrelevant questions about my setup.
Re: (Score:2)
Re: (Score:2)
I'm flummoxed here. One one hand, you're obviously smart and competent to be aware of such things. On the other, WTF MAN were you thinking??!!! AVG IS SHIT; and has been for years. Why?? Might I recommend something like Bitdefender (my personal trusted favorite), Norton AV, or even Kaspersky?
Thanks for the heads-up. Yes, Bitdefender and Kaspersky are on my radar as excellent products (and av-comparatives.org agrees with you [av-comparatives.org]) and I guess I could say there's a great deal of loyalty in my choice. I've been following AVG the company since the days 'Stoned' was still making the rounds and they've been consistent. Like any PC tech, my clients have run the gamut of the corporate "Just give me the bottom line and I'll write you a check" ... to users who say "If I have to buy something else, it'll ha
Re: (Score:2)
Re: (Score:2)
Intelligent people removed avg years ago, when they turned to the dark side.
So when did this happen?
When someone could not fathom [computertutorflorida.com] the difference between crapware-enhanced installation bundles from CNET/DOWNLOAD.com and direct download from AVG.com? When someone got the (socialist) idea that default installs of any free product should include full functionality with a promise to collect and use no information?
Clueless (socialist) whiners.
When antivirus vendors started offering [avg.com], and 'free' users started demanding, per-DNS-lookup and per-click protection that is based on continuous qu
Idiocy (Score:2)
This updater may be broken and insecure, but why the hell would anyone trust an automatic updater to do stuff like BIOS or UEFI updates?
This is like trusting a child with a handgun to play with and being shocked when someone gets shot.
If there's an update like that, the user should be notified, and if so inclined, should go see if it's something they want to install at a time of their choosing. Perhaps first backing up your current BIOS or UEFI and perhaps doing a data backup too, just in case. Because, y
Re: (Score:2)
They really should not be done unless there is an actual problem that will actually be solved by the update.
Given that many UEFI updates patch security flaws, it's a good idea to keep up to date. BIOS had its issues, but UEFI offers a much larger attack surface.
Next Generation (Score:5, Interesting)
It is insane how much trust we still place in component manufacturers / assemblers that can easily be lazy, incompetent, compromised by TLAs of every country, or all three.
Sophos Too (Score:2)