Nothing is perfectly secure, and we’ll never eliminate every vulnerability out there. But we shouldn’t be seeing as many sloppy mistakes as we’ve seen from HP, Apple, Intel, and Microsoft in 2017.
Please, PC manufacturers: Spend time on the boring work to make our PCs secure. We need security more than we need shiny new features.
Apple Left a Gaping Hole in macOS, and Did a Bad Job Patching It
If this were any other year, people would be holding Apple’s Macs up as an alternative to the PC chaos. But this is 2017, and Apple has had the most amateurish, sloppy mistake of all—so let’s start there.
Apple’s latest version of macOS, known as “High Sierra”, had a gaping security hole that allowed attackers to quickly sign in as root and get full access to your PC—just by trying to sign in a few times without a password. This could happen remotely via Screen Sharing, and it could even bypass the FileVault encryption used to secure your files.
Worse yet, the patches Apple rushed out to fix this didn’t necessarily fix the problem. If you installed another update afterwards (from before the security hole was found), it would re-open the hole—Apple’s patch didn’t get included in any other OS updates. So not only was it a bad mistake in High Sierra in the first place, but Apple’s response—while fairly quick—was a mess.
This is an unbelievably bad mistake from Apple. If Microsoft had such a problem in Windows, Apple executives would be taking pot shots at Windows in presentations for years to come.
Apple has been coasting on the Mac’s security reputation for far too long, even though Macs are still less secure than Windows PCs in some fundamental ways. For example, Macs still don’t have UEFI Secure Boot to prevent attackers from tampering with the boot process, as Windows PCs have had since Windows 8. Security by obscurity isn’t going to fly for Apple anymore, and they need to step it up.
HP’s Pre-Installed Software Is an Absolute Mess
HP has not had a good year. Their worst problem, which I personally experienced on my laptop, was the Conexant keylogger. Many HP laptops shipped with an audio driver that logged all keypresses to a MicTray.log file on the computer, which anyone could view (or steal). It’s absolutely crazy that HP wouldn’t catch this debug code before it shipped on PCs. It wasn’t even hidden—it was actively creating a keylogger file!
There have been other, less serious problems in HP PCs, too. The HP Touchpoint Manager controversy wasn’t quite “spyware” like a lot of media outlets claimed, but HP failed in communicating with its customers about the problem, and the Touchpoint Manager software was still a useless, CPU-hogging program that isn’t necessary for home computers.
And to top it all off, HP laptops had yet another keylogger installed by default as part of the Synaptics touchpad drivers. This one isn’t quite as ridiculous as Conexant—it’s deactivated by default and can’t be enabled without administrator access—but it could help attackers evade detection by antimalware tools if they wanted to keylog an HP laptop. Worse yet, HP’s response implies that other PC manufacturers may have the same driver with the same keylogger. So it may be a problem across the wider PC industry.
Intel’s Secret Processor-Within-a-Processor Is Riddled with Holes
Intel’s Management Engine is a little closed-source black box operating system that’s a part of all modern Intel chipsets. All PCs have the Intel Management Engine in some configuration, even modern Macs.
Despite Intel’s apparent push for security by obscurity, we’ve seen many security vulnerabilities in the Intel Management Engine this year. Earlier in 2017, there was a vulnerability that allowed remote administration access without a password. Thankfully, this only applied to PCs that had Intel’s Active Management Technology (AMT) activated, so it wouldn’t affect home users’ PCs.
Since then, though, we’ve seen a raft of other security holes that needed to be patched in practically every PC. Many of the affected PCs still haven’t had patches released for them yet.
This is particularly bad because Intel refuses to allow users to quickly disable the Intel Management Engine with a UEFI firmware (BIOS) setting. If you have a PC with the Intel ME that the manufacturer won’t update, you’re out of luck and will have a vulnerable PC forever…well, until you buy a new one.
In Intel’s haste to launch their own remote administration software that can work even when a PC is powered off, they’ve introduced a juicy target for attackers to compromise. Attacks against the Intel Management engine will work on practically any modern PC. In 2017, we’re seeing the first consequences of that.
Even Microsoft Needs a Little Foresight
It would be easy to point to Microsoft and say that everyone needs to learn from Microsoft’s Trustworthy Computing Initiative, which began in the Windows XP days.
But even Microsoft has been a little sloppy this year. This isn’t just about normal security holes like a nasty remote code execution hole in Windows Defender, but problems Microsoft should have easily been able to see coming.
The nasty WannaCry and Petya malware epidemics in 2017 both spread using security holes in the ancient SMBv1 protocol. Everyone knew that this protocol was old and vulnerable, and Microsoft even recommended disabling it. But, despite all that, it was still enabled by default on Windows 10 up until the Fall Creators Update. And it was only disabled because the massive attacks pushed Microsoft to finally address the problem.
That means that Microsoft cares so much about legacy compatibility that it will open Windows users to attack rather than proactively disable features very few people need. Microsoft didn’t even have to remove it—just disable it by default! Organizations could have easily re-enabled it for legacy purposes, and home users wouldn’t have been vulnerable to two of 2017’s biggest epidemics. Microsoft needs the foresight to remove features like this before they cause such major problems.
These companies aren’t the only ones having problems, of course. 2017 saw Lenovo finally settling with the US Federal Trade Commission over installing the “Superfish” man-in-the-middle software on PCs back in 2015. Dell also shipped a root certificate that would allow a man-in-the-middle attack back in 2015.
This all just seems like too much. It’s about time everyone involved gets more serious about security, even if they have to delay some shiny new features. Doing so may not grab headlines…but it’ll prevent the headlines none of us want to see.