Last month’s report on OEM software vulnerabilities from Duo Labs (pdf) was covered in a lot of different news articles. Wired put out one of the best pieces on it, which you can read here.
Wired also covered how some of the manufacturers reacted to our findings.
As varied as their security stances were, the vendors also varied in how easy they made it to report security problems. While Lenovo, HP and Dell, all had direct channels for reporting security problems with their software, Acer and Asus did not, leaving Duo researchers to attempt contact to their customer support lines channels multiple times via email and phone calls before they got a response.
How the vendors responded to the researchers also varied. HP has already patched the most egregious vulnerabilities the researchers found. Lenovo addressed its problems by simply removing the vulnerable software from affected systems. Duo reported the problems to the vendors more than four months ago, but Acer and Asus still haven’t indicated when they will fix the problems or if they will.
“Asus told us they were going to patch in a month, then they backed off on that after we pointed out that their planned patch was also flawed,” says Steve Manzuik, director of security research at Duo Labs. “And that’s when our communication broke down with them.”