The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTML and installs them without verifying the content’s source or validity.
The LiveUpdate toolkit is what you’d call bloatware or crapware, software prepacked on your computer that’s already there when you boot up for the first time. Very few people are aware of its presence, and most of them think it should be there to begin with because it’s provided by their laptop’s manufacturer.
Unfortunately for ASUS customers, the company’s official “bloatware” doesn’t use the most secure mechanism to deliver updates, as US security researcher Morgan Gangwere.
HTTP communications expose users to MitM attacks
The LiveUpdate feature installed on ASUS devices queries the ASUS servers for new updates via unencrypted HTTP requests, easy to intercept and spoof.
On the other side, the ASUS servers also reply to these queries in HTTP, using obfuscated XML files, which are also easy to reverse-engineer and duplicate.
ASUS LiveUpdate doesn’t verify the validity of the response it receives from the server in any way, and it will also install any software it receives without checking its source or content.
Update process takes place under admin privileges
This installation takes place under the same permissions used by the update checker, which is, you guessed it, an administrator account.
Gangwere says that launching the executable from under this account ensures that “there is little chance of an executable that is not authenticode signed from causing problems.”
Since LiveUpdate can deliver anything from USB drivers up to BIOS/UEFI firmware, an attacker only needs to have the patience to wait for a user’s laptop to query for updates before delivering their malicious code.
The attackers wouldn’t even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish.
Softpedia has reached out to ASUS in regards to the researcher’s findings. This past week, Lenovo faced a similar situation with its Accelerator driver update utility. Instead of issuing a security update, the company decided it would be best if it.