Another round of revelations about vulnerabilities in software bundled by major PC vendors could see renewed interest in applying standard operating environments (SOEs) to newly purchased computers.
Duo Security's Duo Labs recently found 12 serious vulnerabilities in OEM updaters on Acer, Asus, Dell, HP, and Lenovo systems.
So the practice of re-imaging new computers with a system comprising the components required and nothing more still makes a lot of sense. It's a simple and relatively quick process, and practices and tools have been developed over the years for keeping images and systems up to date without disrupting acceptable personalisation by users, including making provision for self-service installation of approved but optional applications.
Keeping up to date is an important matter. While a surprisingly high proportion of successful attacks have targeted old vulnerabilities, there seems to be a rule of thumb that attacks are more common once a vulnerability has been added to the Metasploit penetration testing software. As that can happen very quickly after disclosure, prompt patching makes sense.
What about BYOD?
Sure you might still want to test updates before applying them – to ensure that a browser patch doesn't break your old but still vital intranet pages, for example, or so that your custom integrations still work after the programs have been updated. But you still need a 'hands-off' way of keeping your fleet updated but without having to trust the demonstrably insecure mechanisms provided by some vendors. Such tools are available.
However, there's another problem. You increasingly don't own the devices that are used in your organisation, thanks to formal BYOD policies or even an informal tolerance of privately-owned equipment. It's unreasonable to expect employees to submit their own property for re-imaging with a system that might not meet their personal needs.
Frequently proposed ways around that are to use virtual desktops, application virtualisation and web-based applications for corporate purposes. The trouble is that malware running on the device may still be able to access valuable information; for example, by screen scraping or keystroke logging. Countermeasures are available, but don't simply assume that because the applications are running on your servers then all the data is secure.
What doesn't help is that in at least some cases, updaters have been shipped on retail systems rather than those sold to the corporate market. So the computers most in need of re-imaging are probably the least likely to be given that treatment.
At least Lenovo is recommending its customers uninstall the Lenovo Accelerator highlighted by Duo as having an update mechanism "devoid of any security precautions whatsoever." (Conversely, Duo described Lenovo Solutions Center as "one of the best updaters we looked at" being "hardened against MITM attack.")
That's not to say that there are widespread examples of malware being slipped onto systems by exploiting insecure updaters.
Losing faith in patching?
Basically, we're in a mess. Automatic updating is pitched as an important part of protecting systems by patching vulnerabilities as quickly as possible. Yet too many vendors – as demonstrated by Duo – have failed to properly secure their update mechanisms.
This could result in people losing faith in the idea, and consequently applying security patches less promptly, increasing the window of opportunity for exploits.