There are a myriad of articles in any language of your choice about Signature Edition, and they all invariably contain a sentence along the lines of, “Microsoft controls the software that ships on these PCs, and they strip out the worst stuff to ensure you have a clean copy of Windows with only useful utilities and drivers,” according to HowToGeek.
It’s true that Superfish software wasn’t packaged on Lenovo’s Signature Edition laptops, but what does Signature Edition really mean? Are there other aspects of these devices putting users at risk? As you may have already seen, we have spent some time analyzing the attack surface of Original Equipment Manufacturer (OEM) Laptops, including a few Microsoft Signature Edition models.
Signature Edition Security: Our Findings
As part of our project, we purchased Signature Edition laptops manufactured by Hewlett Packard (HP), Asus and Dell. These were all purchased directly from Microsoft. We decided to compare these to non-Signature Edition systems from the same manufacturers to figure out what exactly consumers are getting when they purchase these systems.
Additionally, after the release of our paper, we saw that other people were interested in Signature Edition as well. This prompted us to travel to Microsoft Retail Stores to take a look at some brands we missed in our initial analysis. We only used the in-store retail demo units for these, however we were assured by employees that they were the same as what you’d receive in the sealed box. Our process for analyzing the retail units was to first obtain administrative access, then run a couple quick checks to identify pre-packaged software: a full file listing (DIR C:\ /B /S) followed by running SysInternals’ autoruns tool. We then searched these listings for any indicators of pre-packaged software. Unfortunately, we did not capture the model numbers for all the in-store units we checked out.
Potential drawbacks of analyzing retail machines are that employees or customers may have tampered with them, however the overwhelming majority had Faronics Deep Freeze present to restore their hard-drive image as well as artifacts of OEM software. It seemed like the only steps employees took (also validated by employee statements) were to boot the machines, activate the “secret” Retail Mode, and install Deep Freeze.
Signature Edition Overview
We spoke to numerous Microsoft employees as part of this process and were told the same things by all of them: every single laptop sold by Microsoft directly or in a Microsoft Store is a “Signature Edition” laptop, and this means it is “free of bloatware”.
We asked more pointed questions to understand how the Signature Edition process works, and our understanding is this: OEM vendors are responsible for managing Signature Edition for their machines. Microsoft places orders for their machines for resale, and the OEMs are supposed to flash the machines with the Signature Edition images. It does not seem like Microsoft has great visibility or control of the Signature Edition program, instead shifting the responsibility to OEMs and trusting them to do the right thing.
It is our recommendation that Microsoft get more involved in the Signature Edition process, providing more guidance for and monitoring of OEM images. We consider their Surface Book machines the "gold standard" for a Windows 10 machine -- no annoying third-party components, no proprietary updaters, nothing but Windows and hardware support tools.
The only constant we saw across the board for Signature Edition was the lack of marketing tie-ins and trials of third-party software, which were a major annoyance on the non-Signature machines. This is to be applauded as a step in the right direction, however, some third-party and proprietary software of little value still found itself on many of the Signature Edition machines, including some vulnerable updaters.
For Acer, we only examined in-store retail units. We didn’t see anything pre-packaged besides software to support the Realtek audio hardware.
However, there's a C:\OEM directory with an install script that we didn’t pull a copy of:
We hope that boxed Signature Edition Acer units are the same as the retail demo unit. As we did not purchase one, we cannot say for sure, and when testing other brands we saw differences between purchased units and retail units. Assuming that the boxed units match the retail unit, they’ve done a very good job of stripping the system down.
Alienware has Signature Edition laptops for sale at the Microsoft Store. We didn't purchase one, but we did investigate one at the Store. We quickly became suspicious that the employees had customized the system as it had Steam installed on it and screenshots of gameplay from months back. Faronics Deep Freeze was also not present on this system.
It had the same basic recovery and support files as the other Dell system we checked out at the retail Store. Nothing exciting. No PC-Doctor present. We didn’t even find any l33t gamer software to make your backlights strobe to dubstep while pwning n00bs. If this is what their boxed systems are like, great job, Alienware!
For Asus, we looked at two models:
- Asus TP200S
- Asus TP200S Signature Edition
The standard non-Signature Edition system, just like the others, contained a large amount of third-party software from a wide range of vendors, as well as Asus-developed update tools, in which we identified multiple security vulnerabilities.
The Signature Edition shipped with scheduled tasks for functionality related to some hardware features: ACMON.exe, USBChargerPlus.exe, AsusTPLauncher.exe, AsPatchTouchPanel64.exe, SimAppExec.exe, but did not include the vulnerable Asus updater or the third-party applications and add-ons.
There was still some ASUS-developed software present, which increases the attack surface of the device, however, we have not performed a full audit of all of the ASUS components besides the known-vulnerable updater that was not present on the Signature Edition hardware.
For Dell, we had two systems. One Signature Edition and one traditional OEM version:
- Inspiron 15 Signature Edition
- Inspiron 14
Much like the HP systems, the non-Signature Edition system contained the full suite of tools from McAfee along with other bundled third-party software that seems to only serve as a mechanism for the OEM partners to sell more unneeded software.
Looking at the scheduled tasks on the Signature Edition, we find Intel WiDi (Wireless Display) Software Asset Manager and Intel Update Manager software running, as well as a Realtek HD Audio service and Dell SupportAssist. We also found an Intel telemetry component running as a scheduled task, “lrio.exe.” We haven’t profiled this application to see what sort of telemetry data it captures and where it’s sent, as we were primarily focused on Dell’s support tools.
Software-wise, we find the computer preloaded with a handful of Dell apps: Dell Audio, Dell Power Manager, Dell QuickSet, and Dell SupportAssist. A C:\DELL\ directory existed with a log file within that indicated a Realtek audio driver update had recently been applied.
Looking deeper into Dell SupportAssist, we see that the executable is actually pcdrcui.exe and the signer is PC-Doctor, Inc., which suggests they licensed an off-the-shelf solution rather than writing it in-house like HP.
After running the pcdrcui.exe scheduled task for the first time, the task was deleted and replaced with two other PC-Doctor scheduled tasks: sessionchecker.exe and uaclauncher.exe, both living in the C:\Program Files\Dell\SupportAssist\ directory. A kernel-mode service was also created, based on the driver stored at C:\Program Files\Dell\SupportAssist\pcdsrvc_x64.pkms, signed by PC-Doctor, Inc. on Monday, May 9, 2011 with a SHA-1 digest.
The driver creates a device, \DosDevices\PCDSRVC with the characteristic FILE_DEVICE_SECURE_OPEN which may protect it from unprivileged access.
For custom URI handlers, we found the “intelwidi:” handler which triggers WiDiApp.exe, whose attack surface we did not have time to evaluate as we were focused on vendor-specific software. Overall, we did not see the same use of local HTTP servers and registry-based URI handlers that we saw in the HP software suite.
Dell SupportAssist (PC-Doctor) seemed less dangerous at first glance than other support frameworks we saw. It did not seem to have a built-in update downloader and installer; instead, it pulled a list of updates and prompted users to open their browser to Dell’s support pages to download and install updates manually. Additionally, the “DellConnect” support tool for remote access wasn’t installed by default, and required the user going to Dell’s site to install it. The tool mostly seemed to be a collection of links to other places with some basic diagnostic info.
However, we haven’t performed an extensive audit of the SupportAssist/PC-Doctor software. It may still be possible to exploit; for example, by MITMing the call to retrieve the update list, or through interactions with the device driver. Additionally, the use of kernel-mode code is risky and didn’t seem necessary from the limited apparent functionality of the application.
On June 2, 2016, I went to a Microsoft store and experimented with a demo Dell Signature Edition laptop. Unfortunately I did not note the model number and they left no indicators of it on the filesystem, but it had no Dell or PC-Doctor software present.
This was one of the cleanest systems we looked at. Here’s the result for every file on the disk with “Dell” in its name:
C:\Recovery\OEM\DellEFI.wim C:\Recovery\OEM\Dell\HnSLogo.png C:\Recovery\OEM\Dell\MceLogo.png C:\Recovery\OEM\Dell\OemUser.bmp C:\Recovery\OEM\Dell\OobeLogo.png C:\Recovery\OEM\Dell\PerfLogo.bmp C:\Recovery\OEM\Dell\program_desktop.ini C:\Recovery\OEM\Dell\SystemLogo.bmp C:\Recovery\OEM\Dell\ThemeLogo.png C:\Recovery\OEM\Dell\United States Service Contracts C:\Recovery\OEM\Dell\USBtranslations.dll C:\Recovery\OEM\Dell\users_desktop.ini C:\Recovery\OEM\Dell\United States Service Contracts\Dell Consumer Hardware Serivce Contract - 8-2013 (ed 3-2013).pdf C:\Recovery\OEM\Dell\United States Service Contracts\Dell_Marketing_L_P__Consumer_ADS_contract_8-2013.pdf C:\Recovery\OEM\Dell\United States Service Contracts\Dell_Marketing_L_P__Consumer_In-Home_Hardware_contract_8-2013.pdf C:\Recovery\OEM\Dell\United States Service Contracts\PSS_SD_ US - 020314.pdf C:\Windows\Help\nvcpl\nv3dell.chm C:\Windows\System32\DriverStore\FileRepository\dellrbtn.inf_amd64_0f6ef9155758a779 C:\Windows\System32\DriverStore\FileRepository\dellrbtn.inf_amd64_0f6ef9155758a779\DellRbtn.cat C:\Windows\System32\DriverStore\FileRepository\dellrbtn.inf_amd64_0f6ef9155758a779\dellrbtn.inf C:\Windows\System32\DriverStore\FileRepository\dellrbtn.inf_amd64_0f6ef9155758a779\dellrbtn.PNF C:\Windows\System32\DriverStore\FileRepository\dellrbtn.inf_amd64_0f6ef9155758a779\DellRbtn.sys C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..ssmodellibraries-gc_31bf3856ad364e35_10.0.10586.0_none_3cd5f87f719aac5b.manifest C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-processmodellibraries_31bf3856ad364e35_10.0.10586.0_none_6721f52a55398e3e.manifest C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-p..ssmodellibraries-gc_31bf3856ad364e35_10.0.10586.0_none_472aa2d1a5fb6e56.manifest C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-processmodellibraries_31bf3856ad364e35_10.0.10586.0_none_71769f7c899a5039.manifest``` Some recovery and contract stuff. Not even any GUI tools for managing hardware. Clean. Nice. But why wasn’t the one we bought in a box from the Microsoft Store like that? Dell did not include their vulnerable updater in the Signature Edition we purchased, however we did find other third-party software. It was interesting that the retail demo unit did not seem to have the same software as the boxed unit. Our limited sample size suggests that a purchaser of a Dell Signature Edition may or may not have a system free of pre-packaged components, and will have to check themselves after receiving the machine. The pre-packaged components on Signature machines are of unknown quality, as we have not deeply audited them. *B* ### Hewlett Packard For this project, we had a number of HP systems, one of which was a Signature Edition: * HP Stream x360 (11-p091nr) Signature Edition. * HP Stream 11 (11-d001dx) * HP Envy 15 (15-ah151sa) The two systems that were not branded Signature Edition were a total mess. Numerous third party applications and services were found installed, including the entire host-based security suite from McAfee, as well as a third-party media player known as Cyberlink. There were even add-ons from Dropbox, Netflix, Amazon, Booking.com and Evernote on the systems, along with a handful of HP-developed tools for updating and supporting the system. The Signature Edition Stream x360 was found to be in better shape, as it contained the HP support and update suite. Overall, the attack surface on the Signature Edition was far smaller than that of the standard OEM, however, the presence of the poorly written HP support suite does provide opportunity for an attacker. You can read more about our work analyzing the OEM updater suites and the vulnerabilities we found in HP's updater [here](https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters). One point worthy of note: the machines we received included old versions of the HP Support Assistant software that, in our experience, required manual updating. There is an auto-update scheduled task present on the machines, however we found that it did not seem to properly update the updater software itself unless we manually triggered an update check through the UI. This problem impacted all HP systems, including the Signature Edition model. This, of course, is a concern because during our research, we identified numerous vulnerabilities in the version of support tools installed on the system, including the ability to perform what is known as a “drive-by attack.” For an example of why this is bad: we found a vulnerable [URI handler](https://msdn.microsoft.com/en-us/library/aa767914(v=vs.85).aspx) configured for “HPSAObjectMetrics” that would allow arbitrary client-side command execution via means like an embedded iframe or img tag on a malicious site. For an example of why this is bad: we found a vulnerable [URI handler](https://msdn.microsoft.com/en-us/library/aa767914(v=vs.85).aspx) configured for “HPSAObjectMetrics” that would allow arbitrary client-side command execution via means like an embedded iframe or img tag on a malicious site. This has been patched silently by HP (the software now checks that the process responsible for triggering the URI handler was HPSFViewer.exe), however several systems exhibited the problem out-of-the-box months after a patch was available. This means that the machines were vulnerable to a trivially exploitable drive-by vulnerability: any malicious site could embed an iframe or img tag and compromise the machine. The non-Signature Edition HP’s pre-packaged Dropbox installer had a slight privacy gaffe: the application would open a giant, nearly full-screen Dropbox registration form as the result of a scheduled task. The form would be pre-populated with email address data sourced from the Windows user account -- sent over plaintext HTTP as a GET parameter to Dropbox. It seems like HP’s approach for Signature Edition means not including third-party bundleware from vendors like McAfee and CyberLink. HP made some good choices here: Windows Defender serves as antivirus, there aren’t any giant screen-hogging, email-revealing advertisements for Dropbox, and many less startup processes and services. Most concerning is the continued presence of the HP utilities suite (HP Support Assistant, HP Recovery Manager, and HP Utility Center), which add minimal utility (primarily updating drivers and restoring the disk) at the expense of increased attack surface. We can’t help but wonder if the same goals could have been met with built-in Windows features and cooperation with Microsoft? Wouldn’t it be great if vendor-developed drivers and software were updated via Windows Update instead? Or if that’s not an option, it would be great if vendors could use more vetted updaters, for example [Google’s Omaha open-source updater](https://github.com/google/omaha) which is used across their Windows product line and known to be relatively good while used in a proper configuration. Overall, if you’re purchasing HP, you are better off getting the Signature Edition to avoid annoying pop-up advertisements, however you should be wary of bugs within the highly-privileged services HP runs by default. Our observations were that the software runs with elevated privileges, exposes many IPC mechanisms, and is under frequent development (there were a couple bugs we discovered that got squashed before we could even report them). There is a lot of room to go wrong here and not much value provided to end-users. Overall, if you’re purchasing HP, you are better off getting the Signature Edition to avoid annoying pop-up advertisements, however you should be wary of bugs within the highly-privileged services HP runs by default. Our observations were that the software runs with elevated privileges, exposes many IPC mechanisms, and is under frequent development (there were a couple bugs we discovered that got squashed before we could even report them). There is a lot of room to go wrong here and not much value provided to end-users. While investigating Signature Edition HP machines in the retail Microsoft Store, we saw that demo units did not seem to have the HP Support Assistant application present that we saw in the Signature Edition laptop we purchased several months prior. However, we saw artifacts of HP’s OEM software, for example the HP-signed wrapper around cmd.exe (`C:\hp\BIN\commands.exe`). It’s not clear whether HP is inconsistent in their Signature Edition images or if employees at the retail Store manually removed the software, however it’s clear some purchased HP Signature Editions come with HP Support Assistant. The best option for buyers? A clean reinstall of Windows, unfortunately. *C* ### Lenovo Lenovo was a vendor whose Signature Edition machines seemed to be inconsistent, possibly because they're already shipping units with the Lenovo Accelerator removed -- though we find it unlikely those have already made it to retail Stores as demo units. We checked out two Lenovo machines at the Microsoft Store, a Flex 3 and a Yoga 900. On July 2nd, we found the known-vulnerable and deprecated Lenovo Accelerator application on the Flex 3, but the Yoga 900 was clean and had only some pre-populated shortcuts to marketing material. Since we are not completely sure which Lenovo machines have which software present out of the box based on the retail store samples, consumers need to check the install themselves. Lenovo gets points for no longer shipping laptops with the Lenovo Accelerator, but unfortunately, Lenovo chose not to publish an update to kill their updater and are relying on consumers to delete it themselves, so until that stock is off the shelf, customers are potentially left vulnerable. *C+* ### Razer Peripheral company Razer is in the OEM laptop game now, and their machine we investigated at the Microsoft Store came with its own proprietary updater component. We have not performed any analysis of its permissions or quality, however judging from the quality of other updaters we have investigated, we would not be surprised to find some mistakes. They also had some custom drivers, a "Razer InGameEngine" add-on which, judging from forum posts, seems to annoy a bunch of gamers with crashes, and some other gaming-related add-on services and applications that we did not investigate. *B-* ### Samsung Samsung is a vendor that we didn’t include in our initial survey, though we believe further investigation is warranted after checking out their demo unit at the Microsoft Store. We found it came packaged with several Samsung components, notably “Samsung System Agent”, which looks to set up a local listening loopback interface for IPC, a “sService” support tool, and a customer “SW Update” tool. We have not performed vulnerability analysis of any of Samsung’s components, but the fact that they include support and updater tools on Signature Edition machines gives us pause based on other brands’ success rates. *B-* ### Surface Book The Surface Book demo unit we looked at did seem to utilize the OEM-install pattern, but this may have just been a remnant from enabling the Retail Experience. The only third-party software we saw was from Intel and NVidia for supporting the hardware, including a runtime for Vulkan. The Surface Book is the gold standard for Signature Edition experience and what OEM vendors should aim for. *A+* ### Toshiba The Microsoft Store had one Toshiba unit out for display. We found a script that looked like an installer for some OEM software (`C:\recovery\OEM\Scripts\ToshibaSystem.wim`), however we found no traces of any other Toshiba executables on the system. Unfortunately, we discovered this installer script during offline analysis and did not take a copy of the script to analyze. They also had potentially custom EFI firmware image artifacts (e.g. `C:\TOSHIBA\Boot\bootmgr.efi`) but we did not check to see if any are being used. Overall, the system seemed free of Toshiba and third-party programs and updaters. *A* ### Vaio There was one Vaio demo unit at the Microsoft Store. It had a suite of proprietary software for managing the hardware's backlight, networking, and other features called "Vaio Control Center", however we noticed no updater as part of it. It looked boring for remote attackers, though the access to hardware suggests a probable kernel component that might have locally-exploitable privilege escalation vulnerabilities. Additionally, it seems to be poorly updated -- the only download we found for it on Vaio’s site dates back to 2012. The only networking component we saw in our cursory investigation was to send usage data of the Control Center back to Vaio. *A-* ## Summary of Findings OEMs are not being consistent in how they treat Signature Edition. Even Signature Edition laptops from the same manufacturer had different software present depending on the model we looked at. The one guarantee that Signature Edition gives you is that the laptop will be free of pre-packaged trials of third-party software like McAfee and “value-adds” (adware and placement for things like Dropbox and Amazon). You may or may not find an updater and other third-party software on it. You probably will find custom drivers and applications to support hardware pre-loaded. Depending on when your computer was manufactured, you will potentially have an out-of-date updater already present when you boot it the first time. In the case of Lenovo, a discontinued and vulnerable updater that won’t remove itself automatically. We found Dell and Lenovo frustrating because of a lack of clarity on what a Signature Edition experience was: while we didn’t purchase any Lenovo Signature Editions, we did try two in a retail Microsoft Store and found the vulnerable updater component of Lenovo Accelerator on one, but not the other. When we purchased a Dell Signature Edition, we found it concerning that they packaged a third-party support suite component, however when we checked out other Dell machines at the Microsoft Store, we didn’t see any evidence of any We still advise wiping any new system, and installing a clean version of the operating system - but at least the overall attack surface of the Signature Edition systems is less than the standard OEM offering.