Bloatware from 5 Major PC Firms 'A Security Risk'

John Lister's picture

A security firm says that laptops from five major PC manufacturers have inherent security flaws which make the systems open to attack the very first time they are used. The problem deals with the automatic update tools installed by the manufacturer.

Duo Labs explored the pre-installed manufacturer software on laptops from Acer, Asus, Dell, HP and Lenovo. In total, they found 12 vulnerabilities which they described as being ridiculously simple to exploit. (Source: duo.com)

The software is what's officially known as Original Equipment Manufacturer (OEM) software, but commonly referred to by critics as "bloatware" or "crapware". Among the examples are software that automatically registers a computer for support services, software that checks for outdated drivers, and limited-time free trials of security software. Such software often slows down computers by needlessly using memory or automatically starting at bootup.

Updater Tools A Particular Problem

One of the big security concerns identified by Duo Labs was that all five companies preinstalled 'updater tools' which had at least one security vulnerability. The most common problem was that these tools did not properly check whether or not they were were connecting to the intended target server to find and download new software, similar to the exploit discovered in November 2015 with Dell machines. In many cases, they were also failing to check that the downloaded software was authentic before installing.

To make things worse, many of these tools are setup to run code as the SYSTEM user. That means they have complete access to the entire computer and operating system, in turn meaning the potential damage from any breach is much more serious.

Another problem was that the preinstalled software was often set up and added to the machine in an inconsistent and illogical manner. In some cases, multiple pieces of bloatware on the same machine were set up in different ways, making it harder to track and fix any vulnerabilities.

Microsoft Anti-Bloatware Program Flawed

The researchers also found that a Microsoft program called Microsoft Signature Edition, which is designed to show a computer has a "clean" version of Windows without any bloatware, is no guarantee that this will be the case.

According to the researchers, users have two main options to mitigate these risks. One is to disable or uninstall any preinstalled software that doesn't appear to be genuinely necessary and useful. Another is to completely wipe the hard drive and reinstall a fresh copy of Windows obtained directly from Microsoft. (Source: cnet.com)

What's Your Opinion?

Have you encountered problems with bloatware on a new laptop? If so, what's your strategy for dealing with it? Can such preinstalled programs have enough benefit to outweigh the risks?

Rate this article: 
Average: 5 (5 votes)

Comments

Dennis Faas's picture

For a lot of users, reinstalling Windows may not be an option - at least, that was true prior to Windows 8.1. Previous to that, Microsoft did not allow users to download Windows from the Internet unless you jumped through hoops. Now, Windows 8.1 and 10 can easily be downloaded as .ISOs and burned to DVD or written to USB, then used as a clean install method. Without this option, most users were forced to uninstall crapware manually, which could literally take hours. My best advice for anyone who is unable to legally obtain a clean install of Windows (prior to 8.1): make a disk image backup after you uninstall all the crapware, then use that image as your go-to source for a 'clean' install of Windows.

ecash's picture

The FUN parts are..

Is this good software?
Do I have to deal with ADVERTS to use GOOD software?

HOW are they sending me ADVERTS?? safe or unsafe? NEVER SAFE.

DID the software OPEN a vulnerability in windows, or USE one already there? nothing to say here..

RESTRICTED software..it only works with THIS machine..Wow, abit of programming Limits a good piece of software.

DOES it auto run at startup?? HATE this. Iv killed upto 6 chat programs all starting at Boot, All trying to get to the net..while windows is TRYING to start.

Iv tried many pieces of software, over 30+ years. and finding NEW/better software CAN be hazardous. Dont care if its a GAME/UTILITY/System Monitor/.. ANYTHING..
Unless you have a Experiment/trail machine, it gets very hard to figure out if something is GOOD.
depending on MS to protect you?? TELL you whats happening??

MS is trying to create an OS that will run on almost anything..Thats why win8 was a TABLET OS.. selling you APPS..Under any name..And MS is having a problem..HOW to control Apps/cookies/whatever the name. HOW to protect the customer..Soon everything will go thru MS..

And Most of the Xbox consoles are Modified DIRECTX..

kitekrazy's picture

Other than using less expensive parts the bloatware reduce the costs. I never like laptops and rolled my own PCs. Any laptop I've owned was a hand me down. If they made it easier to build your own laptop I would try building one.

MONSTERTEK's picture

That's like complaining about that "new car" smell. The best advice I can give to the average new PC buyer, hire a local reputable independent pc tech (ask a friend,etc.) and pay him or her for an hour of their time to set it up, connect it to your network, install the printer, remove the crapware, and do the updates. Everyone's better off in the end.

eric's picture

I practically beg my friends and family to let me do the initial setup of new pc's and laptops they buy.
When I ran my own PC repair business, I offered a cheap package for "new PC setup",
All just so I could get rid of the crapware preinstalled and provide the users with a better overall experience.
Autoruns is NOT something the casual user should be using. LoL.

caseymcpoet's picture

Hi Dennis. I've got an HP Pavilion laptop I love & have those vulnerable HP programs they mention,HP Support Solutions Framework (HPSSF) & HP Download and Install Assistant. They do not, however give any solution to remedy this. (I previously had an HP Netbook Win7 which was bloated & still is.) What irks me is by publishing these vulnerabilities are they making it more likely now that my laptop will be attacked by some hacker who happens to read their report? Casey in Wonderland