Skip to main content

Security researchers find several high-risk bloatware bugs on popular laptops

HP Elite X3
Malarie Gokey/Digital Trends
Laptops made by five of the world’s biggest computer manufacturers are vulnerable to dangerous hacking thanks to flawed pre-installed software.

Security firm Duo Security has today published a new report from its Duo Labs division into pre-installed software, or bloatware, on laptops made by HP, Dell, Lenovo, Asus, and Acer. The security issues found with these original equipment manufacturers (OEMs) are mostly rooted in buggy updater software for pre-installed programs.

The full report found that none of the vendors took proper care in delivering software updates via a secure HTTPS line. This made it easier for would-be attackers to intercept traffic, gain access to users’ systems, and even take over computers. For example, in the report, Duo Labs stated that HP and Dell “often transmitted” files over HTTPS but Asus and Acer did not.

OEM-vendor-issues
Image used with permission by copyright holder

In the study, the researchers found a number of other security flaws specific to each OEM that could lead to arbitrary code execution, permitting the takeover of a computer.

HP had two such vulnerabilities, which Duo Labs dubbed high risk, as well five medium-to-low-risk flaws. Asus and Lenovo had one high-risk bug each and Acer had two. Dell on the other was found to have one high-risk certificate flaw.

In the case of Asus, the researchers claimed that they were able to take over a computer manufactured by the company in less than 10 minutes.

According to the Duo Labs researchers, by allowing a range of pre-installed software onto their systems before they ship, OEMs struggle to double-check the security of each little piece of software.

Before publishing its research today, Duo Labs contacted or attempted to contact the five companies involved. The research was conducted between October 2015 and April of this year.

“Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM’s to learn from this, right?” the researchers said.

HP and Lenovo responded well to their concerns, they said, by patching the flaws promptly and with the latter removing the software outright. Dell did its due diligence too, they added. Asus and Acer on the other hand have not sufficiently addressed the problems, according to the firm.

Finally, theresearchers warn users to be more skeptical of laptops after they purchase them. “Wipe any OEM system, and reinstall a clean and bloatware-free copy of Windows before the system is used,” they wrote in their conclusion.

Editors' Recommendations

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
The world’s first 8K mini-LED monitor has arrived
The Asus ProArt PA32KCX 8K mini-LED professional monitor placed on a desk next to a workstation PC.

When it comes to the best professional-grade monitors, resolution, brightness, and color accuracy are all paramount. Asus is aiming to ace all three (and a lot more) with its newly announced ProArt PA32KCX, which is also the world’s first 8K mini-LED professional monitor.

The 8K resolution is the standout spec, of course. The monitor has a resolution of 7680 x 4320 across its 32-inch screen. One of the only other 8K monitors available that you actually buy is the Dell UltraSharp UP3218K, which came out in 2017.

Read more
This new VR headset beats the Vision Pro in one key way and is half the price
Pimax Crystal Super and Light VR headsets appear on a dark background.

While the Apple Vision Pro offers ultra-high-resolution displays with 23 million pixels, the staggering $3,500 price might inspire you to look for Vision Pro alternatives.

Good news: Pimax just announced two new VR headsets, including a budget model that costs as low as $799 and a more advanced version starting at $1,799. Both are based on the design of one of the best VR headsets currently available -- the Pimax Crystal that launched in May 2023 for $1,599 -- but come with a serious upgrade in terms of resolution.
Pimax Crystal Super

Read more
In 2024, there’s no contest between DLSS and FSR
Ratchet and Clank Rift Apart on the Samsung Odyssey OLED G8.

In modern PC games, you have the difficult decision between Nvidia's Deep Learning Super Sampling (DLSS) and AMD's FidelityFX Super Resolution (FSR). Both are upscaling tools that promise higher frame rates while using the best graphics cards, but there are some key differences between them.

I've been testing DLSS and FSR for years across dozens of games. Choosing between them isn't easy, but after closely examining the two upscalers so many times, there's a clear winner between them.
FSR vs. DLSS: What's the difference?

Read more