Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: The Perils of Vendor Bloatware SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Perils of Vendor Bloatware

In today's Stormcast, Johannes summarizes the current issue with some of the software that comes pre-installed on Dell Laptops.  In short, Dell Foundation Services- which is used for remote management - allows unauthenticated WMI queries to be processed through a simple SOAP interface.  We've used WMI in many stories for reconnaissance, pentesting and attack activities (check out our Diary Archives and Search function for more on this).

Anyway, on one hand, an IT Manager might say "who better to write desktop management software than the hardware vendor".  A smarter IT Manager might say "no, someone who builds hardware for a living is the *worst* person to buy software from, especially if it's free software".  Maybe the ground lies somewhere in between - I typically format every new machine, use the vendor hardware drivers for whatever OS I install, and stop there (at least as far as hardware vendor code goes)

Long story short, after the past year of Superfish and Dell's equivalent of Superfish, and now this, I hope it's time we all look at the special presents we get "for free", preinstalled on new hardware!

References:

Today's Stormcast: https://isc.sans.edu/podcastdetail.html?id=4767  (or subscribe in iTunes  or RSS)
Dell Foundation Services issue: http://rum.supply/2015/12/01/dell-foundation-services.2.html
Superfish 2.0: https://isc.sans.edu/diary/Superfish+2.0:+Dell+Windows+Systems+Pre-Installed+TLS+Root+CA/20411  

===============

Rob VandenBrink
Metafore

Rob VandenBrink

521 Posts
ISC Handler
Lenovo installs drivers that work better with their systems than the vendor, in addition to software that makes everything work properly. Dell's business laptops typically do not include bloatware. It's true having less software installed means less vulnerabilities, however a clean OS install often leads to keys or hardware (fingerprint reader, web cam, ect.) not working as tested by the manufacturer.
Anonymous
Drivers are not an issue. They can and should be managed and installed on deployment as appropriate. Using the hardware vendor's image just because it includes the "right" drivers is a pretty poor excuse for not having a centrally controlled, managed, and hardened deployment image.
Anonymous
Agreed. The "free" management tools and such are the problem here. The reality is that doing things right is hard, and most people won't bother with the work. If you give them what appears to be a "free and easy" tool, 9/10 of them will use it without evaluation of its function or security.
xencon

5 Posts
Sometimes the system mfg distributes the device mfg's driver package. I say package since in addition to the driver you also see a configuration tool or some other extra software. I try to install just the driver. I check the device mfg's site for a simple driver installer. I have gone so far as to extract the full package and locate the simple driver installer. There have been a few instances where the simple driver installer is buggy and the full package installer corrects those issues to achieve a functioning driver install. In that case, look for an uninstaller for the extras, not as clean but cleaner.
G.Scott H.

48 Posts

Sign Up for Free or Log In to start participating in the conversation!