ASUS Live Update Utility and Broken SecurityWritten on June 5, 2016 by Christopher Crader
Before I get too far, I'm just going to say now that if you have a Puget Systems computer with an ASUS motherboard, you're probably not impacted by this at all. You have to install the AI Suite in order for LiveUpdate to be running, and we don't install that. If you've installed it, I'd recommend either uninstalling it or disabling LiveUpdate running on startup. If you're curious to know more, give the rest a read.
So I just ran into this wonderful news regarding ASUS and their LiveUpdate utility. Apparently LiveUpdate allows for the running of updates via HTTP without properly verifying them. It's kind of a big deal. Basically, with this sort of attack open, somebody can script a bit of software to run on your system and it will show up in LiveUpdate as just another random security update.
The way it works is that the program checks for a specific set of update files online every hour. If the files report an update, they pass along the info for the update. Here's the thing. Since it's all handled via HTTP, it's possible for somebody to use a man-in-the-middle attack to alter the update files. In doing so, it's possible to run malware on the system, or even to have your BIOS modified via an update. Based on my reading of the report, it looks like you'd have to actively run the false update from inside the LiveUpdate utility for it to do its work, but it still presents a huge security risk, as most folks will simply trust it, expecting it to be a real ASUS update.
So what do you do? If you're using a Puget Systems computer, probably nothing. We do use ASUS motherboards, and the motherboard discs we send out include the utility, but we never install it unless explicitly asked. Nobody ever asks. We've had concerns about the utility's reliability regarding updates. It makes it too easy to run BIOS updates, which we typically recommend against except with specific issues that require them. So odds are good that if you're reading this, you're not impacted.
Okay, but what if you installed the software yourself? What do you do? The good news is that there is a fairly easy fix. Just uninstall the ASUS AI Suite.
- Bring up Programs and Features. If you're using Windows 8.1 or 10, right-click the start menu, and it will be the top option. If you're using Windows 7, click the Start button, click Control Panel, click Programs, and then click Programs and Features.
- Once you're there, just find the ASUS AI Suite and uninstall it. Pretty simple.
Okay, but maybe you want to keep the utility for some reason? In that case, you can just turn off LiveUpdate's auto-run function. The AI Suite will still be installed, but at least it won't automatically push for updates. I've taken the instructions for that from ASUS.
- Press "WinKey+R" to open the "Run".
- Type "msconfig", Then click OK.
- Go to "startup" tab.
- Open task manager.
- Disable the "ASUS Live Update Application" and restart the Windows.
This isn't something that should impact most of our customers. For that matter, it probably wouldn't impact any of them. But given the severity of the flaw, I figured I should put this out for anybody concerned. If you're a Puget Systems customer and have any questions, you can always call us at 1-425-458-0273 ext 2, or you can email support at firstname.lastname@example.org