Computer chips on a processor showing how preloaded apps are becoming security threats
When Preloaded Apps Graduate From Annoyance to Security Threat by Scott Ikeda

When Preloaded Apps Graduate From Annoyance to Security Threat

Vulnerabilities Found In Lenovo, HP and Dell Bloatware

Tech-savvy PC users expect to have to clean out some preloaded apps from any new computer they buy. Hardware manufacturers love to preinstall space- and memory-hogging software and apps that end users don’t have a use for.

This cleaning ritual is usually for the sake of PC performance, and possibly the elimination of unwanted data sharing. But it’s also a good idea from a security perspective; “bloatware” is capable of opening up holes in your system defenses.

Three recent high-profile bloatware cases serve as an excellent reminder of the need to prune unwanted software and apps from computer ecosystems. Preloaded apps found on current Lenovo, HP and Dell systems all have unique and serious security vulnerabilities that require end users to take extra steps to fix.

Lenovo’s lateral vulnerability

In August, security researchers found a vulnerability in the Lenovo System Interface Foundation software preloaded on all Windows-based Lenovo PCs manufactured in recent years.

The vulnerability, published by SafeBreach Labs as “Lenovo System Interface Foundation DLL Preloading and Potential Abuses CVE-2019-6189”, allows any authenticated user with access to the Lenovo PC to execute code as another user. Admins have the ability to load unsigned DLLs, an exploit that an attacker could use to very quickly sideload persistent malicious code onto the system.

The researchers report that with admin access an attacker is able to load an arbitrary unsigned DLL into a signed process that runs as NT AUTHORITYSYSTEM. This creates a persistence mechanism with the capacity to load and execute malicious payloads each time the system is restarted.

Lenovo System Interface Foundation is a component of Lenovo Vantage, which is in a grey area as far as bloatware goes. It isn’t completely useless, as it has some hardware diagnosis and system customization functions that are unique to Lenovo hardware and/or difficult to otherwise find in Windows. If that was all it did, it would be great. Unfortunately, it also periodically pops up unrequested “nagware” reminders and promotions of other Lenovo services. This has caused a number of Lenovo users to remove it even though it does provide some helpful system tools.

Security researchers with SafeBreach Labs discovered and reported this vulnerability to Lenovo in late August. The company issued a security update to fix it on November 19. Lenovo users will have to manually patch it by visiting the Lenovo website and downloading the most recent version of Lenovo System Interface Foundation.

HP’s Touchpoint problem

SafeBreach Labs also discovered a similar vulnerability in a similar hardware management tool that is pre-installed on modern HP PCs.

The vulnerability is found in Open Hardware Monitor, which keeps tabs on the current temperature and fan speeds of a computer. Open Hardware Monitor is bundled with HP Touchpoint Analytics, a pre-installed software package on most new HP computers that has been criticized for “phoning home” with sensitive telemetry data without notifying the computer owner.

The exploit takes advantage of the Open Hardware Monitor driver’s top-level privileges. An attacker can make use of this to read and write to system memory. According to SafeBreach, “A number of potential attacks could result from exploiting this vulnerability giving attackers the ability to load and execute malicious payloads using a signed service, effectively whitelisting those applications. This capability for “Application Whitelisting Bypass” and “Signature Validation Bypassing” might be abused by an attacker for different purposes such as execution and evasion, to name two.”

HP issued a patch for the vulnerability in early October, but it requires end users to manually run HP’s “TechPulse Updater” from the Programs menu in Windows. Of course, the app can also simply be uninstalled with no ill effects.

Dell’s dirty diagnostics

Earlier in the year, SafeBreach Labs had discovered yet another vulnerability in a preloaded app that is common on Dell computers.

Dell pitches their SupportAssist software as an automated system defender and optimizer, actively scanning for malware and hardware flaws in the background while also prompting users to keep on top of driver and software updates. While it does perform helpful functions, it’s basically a constant resource-using busybody that unnecessarily automates things that many users are capable of taking care of either manually or with better software.

The vulnerability allows attackers with access to the system to replace benign DLL files located in a publicly accessible folder with harmful ones. Foreign DLLs packed with malware would then be executed using the app’s highest-level administrative permissions to thoroughly infect a system.

If you run a Dell PC with SupportAssist active, it likely patched itself automatically sometime over the summer. If it didn’t, you’ll need to download and install the latest version to fix this flaw.

Preloaded app security holes: Not a new problem

Security researchers have been warning about the dangers of preloaded apps and software for years now, and these are hardly the first high-profile examples.

A similar set of vulnerabilities that impacted Dell, Lenovo and Toshiba computers was discovered back in 2016. These attacked similar high-level preinstalled apps, such as the Lenovo Solution Center (a precursor to Lenovo Vantage).

Some Lenovo computers sold between 2014-2016 also came packaged with the notorious “Superfish” software, a data harvesting system that created a major vulnerability by making use of a universal self-signed certificate authority.

Lenovo had further issues in the early days of Windows 10 with its “Accelerator Application,” which was supposed to speed up the launch of certain programs and apps. This app could similarly be abused by an attacker as part of a “man in the middle” approach. Instead of patching the vulnerability out of this preloaded app, Lenovo simply advised customers to remove it from their systems.

Why do hardware companies persist in installing bloatware on new systems? In the case of third-party partnerships, it’s a lucrative revenue stream. When they install their own preloaded apps of questionable value, it’s usually either to gather data or to provide a “trial” version that they then try to upsell the consumer on.

Vulnerability found on Lenovo preloaded software allows any authenticated user with access to the PC to execute code as another user. #security #respectdataClick to Tweet

Unfortunately, bloatware is unlikely to go anywhere anytime soon. For every tech-savvy user who manually removes unwanted preloaded apps and keeps up with patches, there are at least 10 less sophisticated users who will simply click on and use whatever the manufacturer puts in front of them. The revenue from that appears to outweigh the frustration and negative sentiment expressed by customers by a significant margin, indicating that preloaded apps are an attack vector that will continue to frustrate security teams for some time.