HARDWARE SHIFTER Asus has been soundly criticised not just for its bloatware but for the way the firm updates and serves it.
No one wants bloatware. It is a scratch that you cannot itch, and Asus was recently fingered for being a host of bloat in a report by Duo Security.
The company did not comment on this to us at the time, but we sent an mail and remain hopeful.
In the meantime, there is nothing but negative news to say about this. The slinger here is US security researcher Morgan Gangwere, who explained that Asus LiveUpdate does what you might expect but in a really bad way.
"My advice to anyone who purchased an Asus device: remove LiveUpdate. It's really that simple. If you're an IT administrator, find devices making periodic calls to Asus's domains and blackhole them, get the user to come and see you," said Gangwere in a blog post.
"There is no information on how long this software has been in the wild, but I can speculate it's been since at least the XP days since.
"The Asus LiveUpdate client makes requests over plain, unencrypted HTTP to the Asus update servers (liveupdate01.asus.com or dlcdnet.asus.com, depending on version) and interprets them as XML files (or obfuscated XML). There is no verification done of the authenticity of this XML file or the items it points to."
When it's 2AM and your PoC works pic.twitter.com/HVWGK7cu22— Morgan Gangwere (@indrora) June 6, 2016
Gangmere said that this is open to abuse, which of course it is. Fortunately, even though Asus has not commented to us on this, the firm does offer a page all about how to remove LiveUpdate from your computer. A website called Shouldiremoveit.com polls users on the question. Currently the bulk are in the keep camp, but that could change.
"In tandem with a convenient 'run once an hour' scheduler task, LiveUpdate makes repeated, noisy requests to the LiveUpdate HTTP service. When 'Critical' updates are returned, the default behaviour is to automatically install the updates," added Gangwere.
"This scheduler task is run as any user in the NT Administrators group that the Task Scheduler deems high enough to be considered the most privileged. With a few fiddler intercepts, we can easily make the LiveUpdate application think we have a legitimate update." µ
But don't expect laptop prices
Vulnerability targets hardware created by Infineon Technologies
Expect something commercial in 2019
Ex-employees say bugs were stolen and used in future attacks