Wired reports How the Top 5 PC Makers Open Your Laptop to Hackers
SOFTWARE MAKERS LIKE Microsoft put a lot of effort into ensuring that the operating system and application updates they deliver to your system are secure, so that hackers can’t hijack updates to get into your computer.
But it turns out that PC hardware makers are not so careful. An investigation conducted by Duo Security into the software updaters of five of the most popular PC manufacturers—HP, Dell, Acer, Lenovo, and Asus—found that all had serious security problems that would allow attackers to hijack the update process and install malicious code on victim machines.
Researchers at Duo Security’s Duo Labs found that all five vendors, known as OEMs or Original Equipment Manufacturers, shipped computers with pre-installed updaters that had at least one high-risk vulnerability that would give an attacker remote-code execution abilities—the ability to remotely run whatever malicious code they want on a system—and gain complete control of the system. The skill required to exploit the vulnerabilities was minimal, the researchers said in a report they’re releasing (.pdf) about their findings."
It's amazing to me that vendors are still getting this so wrong when security has been a big issue on PCs for so long and Microsoft is so public about securing Windows. To be sending updates over unencrypted channels shows complete incompetence.