Skip to main content

Security researchers find several high-risk bloatware bugs on popular laptops

HP Elite X3
Malarie Gokey/Digital Trends
Laptops made by five of the world’s biggest computer manufacturers are vulnerable to dangerous hacking thanks to flawed pre-installed software.

Security firm Duo Security has today published a new report from its Duo Labs division into pre-installed software, or bloatware, on laptops made by HP, Dell, Lenovo, Asus, and Acer. The security issues found with these original equipment manufacturers (OEMs) are mostly rooted in buggy updater software for pre-installed programs.

Recommended Videos

The full report found that none of the vendors took proper care in delivering software updates via a secure HTTPS line. This made it easier for would-be attackers to intercept traffic, gain access to users’ systems, and even take over computers. For example, in the report, Duo Labs stated that HP and Dell “often transmitted” files over HTTPS but Asus and Acer did not.

OEM-vendor-issues
Image used with permission by copyright holder

In the study, the researchers found a number of other security flaws specific to each OEM that could lead to arbitrary code execution, permitting the takeover of a computer.

Please enable Javascript to view this content

HP had two such vulnerabilities, which Duo Labs dubbed high risk, as well five medium-to-low-risk flaws. Asus and Lenovo had one high-risk bug each and Acer had two. Dell on the other was found to have one high-risk certificate flaw.

In the case of Asus, the researchers claimed that they were able to take over a computer manufactured by the company in less than 10 minutes.

According to the Duo Labs researchers, by allowing a range of pre-installed software onto their systems before they ship, OEMs struggle to double-check the security of each little piece of software.

Before publishing its research today, Duo Labs contacted or attempted to contact the five companies involved. The research was conducted between October 2015 and April of this year.

“Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM’s to learn from this, right?” the researchers said.

HP and Lenovo responded well to their concerns, they said, by patching the flaws promptly and with the latter removing the software outright. Dell did its due diligence too, they added. Asus and Acer on the other hand have not sufficiently addressed the problems, according to the firm.

Finally, theresearchers warn users to be more skeptical of laptops after they purchase them. “Wipe any OEM system, and reinstall a clean and bloatware-free copy of Windows before the system is used,” they wrote in their conclusion.

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Black Friday’s best PC hardware deal is still live, and you’re sleeping on it
The Ryzen 5 7600X sitting among thermal paste and RAM.

I'm not mad, just disappointed. A couple of weeks ago, I covered the insane deal that essentially allowed you to score a Ryzen 5 7600X -- still one of the best processors you can buy -- for just $105. At the time, I thought, surely, this will sell out in a matter of hours. Who would pass up on a deal this good? And yet, two weeks later to the day, the craziest deal I've seen during all of Black Friday and Cyber Monday is still live on Newegg.

Let me break down the deal again. You can get the Ryzen 5 7600X for $225, which is not a good price. However, you can get an additional $30 off by using promo code DLCDZ342, bringing the price down to $195. The kicker is that you also get a free Team Group MP44L 1TB PCIe 4.0 SSD. That's a $90 hard drive that Newegg is just throwing in with a CPU that's already available for a decent price. The fact that the deal is still live suggests either Newegg has a ton of inventory, or not enough people know about this sale.

Read more
NZXT dismisses PC rental allegations as ‘misconceptions’ while promising changes
The NZXT H7 Flow refreshed PC case showcased at Computex 2024.

NZXT founder and CEO Johnny Hou has publicly addressed growing criticism of the company’s Flex gaming PC rental program, which faced intense scrutiny after YouTube channel Gamers Nexus exposed significant flaws in its pricing and terms. In a detailed video, Gamers Nexus described the program as exploitative, pointing out that its long-term costs far outweighed the hardware's value, leaving customers locked into a financial commitment with minimal ownership options.

“I want to acknowledge that we messed up,” Hou said in a video published by the company. He also promised to address customer concerns and improve the program but offered few specifics on what changes would be implemented.

Read more
ChatGPT’s new Pro subscription will cost you $200 per month
glasses and chatgpt

Sam Altman and team kicked off the company's "12 Days of OpenAI" event Thursday with a live stream to debut the fully functional version of its 01 reasoning model, as well as a new subscription tier called ChatGPT Pro. But to gain unlimited access to these new features and capabilities, you're going to need to shell out an exorbitant $200 per month.

The 01 model, originally codenamed Project Strawberry, was first released in September as a preview, alongside a lighter-weight o1-mini model, to ChatGPT-Plus subscribers. o1, as a reasoning model, differs from standard LLMs in that it is capable of fact-checking itself before returning its generated response to the user. This helps such models reduce their propensity to hallucinate answers but comes at the cost of a longer inference period and slower response.

Read more