The practice of OEMs bundling free trials of security or productivity software, browser toolbars, eCommerce programs, and other paid-for software on top of the base Windows installation as a secondary revenue source in an attempt to subsidize the hardware cost under the pretext of "being helpful" or "adding value" has shown to be a security disaster, containing vulnerabilities that leave users at risk.
Samsung disables Windows Update
The SWUpdate system management utility bundled with Samsung notebook PCs to ensure that drivers are updated (among other ancillary tasks) possesses a rather peculiar design feature, as discovered this week by Patrick Barker. The SWUpdate software, when installed on a computer, proceeds to download a program through unencrypted HTTP (itself an unrelated security issue) called Disable_Windowsupdate.exe, which continually disables automatic installations of patches via Windows Update.
When Barker contacted Samsung's support team about the issue, the reason provided was, "When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work. For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates."
Of note, it doesn't prevent the user from turning automatic updates back on, but the program will again disable Windows Update upon reboot. This "permissive" behavior is likely a reason why this behavior has not been flagged by antivirus programs as being an issue. The software in question is intended to run only on Samsung systems, and according to Barker, it is as a result somewhat difficult to audit on a non-Samsung system, and the exact behavior and means of removal may be different from running the program in a VM.
Lenovo's Superfish debacle
In February 2015, the discovery of pre-installed Superfish adware in consumer-level Lenovo notebooks (that is, not the ThinkPad series) became a public relations mess after Lenovo initially attempted to claim that the software was not harmful, and was provided for users to "discover interesting products while shopping." Unfortunately, the Superfish adware acted as a man-in-the-middle attack, replacing SSL/TLS certificates with an identical, hard-coded, self-signed certificate on all affected computers, leaving users vulnerable to having data stolen by anyone able to extract the self-signed key. Lenovo and Microsoft now distribute Superfish removal tools.
LG monitor software disables UAC
In April 2015, users discovered that the system software bundled with certain LG monitors — most notably, the 21:9 ultra-widescreen 29UM65 series — will disable User Account Control (UAC) and run all programs as Administrator. The rationale for this is that the bundled utility that manages program windows on this special-format display cannot resize windows of programs that run as Administrator if the utility is running without this access. However, the author of MaxTo, a competing solution that works on any display, notes that there is a sensible way to communicate between elevated and non-elevated programs.
How to avoid these security issues
Although it is possible to remove known issues like SWUpdate and Superfish by using the removal tools or normal uninstall procedures, the easiest way to avoid potential future issues is to start with a clean slate — wiping the drive of a newly-purchased computer and installing a clean version of Windows from the installation media.
Alternatively, many OEMs provide Signature Edition systems through the Microsoft Store, which arrive shipped with a vanilla Windows installation sans the adware, free trials, and system management utilities found on normal systems. However, Windows is increasingly becoming the source of unwanted "added value" bundles, with the bundling of programs such as Candy Crush Saga in Windows 10.
What's your view?
When you purchase a prebuilt PC, do you wipe the drive and install Windows from the Microsoft install media? Or, do you opt for a Linux distribution instead? Share your experiences in the comments section.
- Microsoft takes security to a new level with Device Guard
- Matchlight finds breaches faster by scouring the dark web for stolen data
- Download: Executive's guide to the next wave of security challenges
- Security and Privacy: New Challenges (ZDNet/TechRepublic special feature)
Note: TechRepublic and ZDNet are CBS Interactive properties.
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.