back to article These big-name laptops are infested with security bugs – study

Computers from many of the biggest PC makers are riddled with easy-to-exploit vulnerabilities in pre-loaded software, security researchers warn. The research from Duo Security shows that bloatware is not just a nuisance that causes a lag in system boot-up, but a security risk. Laptops from Acer, Asus, Dell, HP and Lenovo all …

  1. Filippo

    Meh. The first thing I do with a new laptop is format and reinstall anyway.

    1. Ian Michael Gumby

      I agree.

      For my wife, I first bought her an HP. Had the right components at a decent price.

      Only problem was that it was full of adware carp.

      Returned it, bought a store brand (Microcenter) which had OS only and then install the microsoft products.

      No problems and it runs fine (Until my wife mucks it up...)

      1. Anonymous Coward
        Anonymous Coward


        The HP website is from my nightmares. It's just so ... corporate.

        I went looking for a laptop driver, and got lost for hours in a maze of twisty little passages, all alike.

        1. Sandtitz Silver badge

          Re: HP

          "The HP website is from my nightmares. It's just so ... corporate. I went looking for a laptop driver..."

          You're doing it wrong. With every manufacturer you only need to invoke your favorite search engine and type:

          <make> <model> drivers

          1. John Brown (no body) Silver badge

            Re: HP

            favorite search engine and type:

            <make> <model> drivers

            Assuming you can find your way through the maze of twisted websites which have repackaged the drivers into their ad-ridden/toolbar-ridden installers or require you to "sign up" before letting you in.

        2. Rod 6

          Re: HP

          For the last few years I've run linux on my machines, mainly because of my work requirements. I've found that the only drivers I've ever had to install are Nvidia/AMD drivers as pretty much everything else is auto detected. Recently, I've found that the open source Nvidia/AMD drivers are good enough not to bother installing the proprietary drivers. I had not used windows for a while, it seems odd to me why all the drivers are not just pulled from the updates thingy.

        3. spiny norman

          Re: HP

          upvote for the Collossal Cave reference, and I hate modern corporate web design too.

        4. Afernie

          Re: HP

          "The HP website is from my nightmares. It's just so ... corporate.

          I went looking for a laptop driver, and got lost for hours in a maze of twisty little passages, all alike."

          It's become much, much worse since they hived off the Enterprise division and basically decided they couldn't be arsed to update any links. Whatever you're looking for, on or you can be sure it will be on the other site and the link will be broken.

      2. Anonymous Coward
        Anonymous Coward

        Re: I agree.


        "Only problem was that it was full of adware carp."

        Aha! That's where the fishy smell was coming from!

      3. ecofeco Silver badge

        Re: I agree.

        Same here Ian. I bought a bare bones refurbished laptop. Installed extra security right away and have been happy since.

    2. chivo243 Silver badge


      +1 but, every so often, I've run across some drivers that were installed, and then can't find them even on the vendor's site. Only to find that they had rebranded some other company's gear...

      1. Anonymous Coward
        Anonymous Coward

        Agreed, but I always make sure I have the drivers before doing anything irrevocable. Also updated antivirus/firewall/etc. so I can prophylactic up the new install before it sees the net.

    3. Dadmin

      My Lenovo had that crapware, and they put hooks for it to reinstall from the firmware, so merely reinstalling your OS does nothing. Fortunately for me, I got the x220 for free and my old desktop crew zapped out that nasty firmware for me. At least that's what I think happened. The Windows partition lacks any license, so no idea if that worked as Mint is quite happy and won't be bothered by it anyway. The things people do to get their stupid ads in front of your face is quite alarming. So very glad I don't watch commercial broadcasts anymore. I have not seen a TV advert since last year, not including a recent family visit where I saw those old-timey videos that have products in them and you're supposed to pay attention to that or something. Advertising, it does nothing for me.

      Now, I would put on some "free" W10, but again; no current license so can't try it out just yet. Thanks for working out all the issues, you regular Windows Guys and Gals! I'm all Mac/Linux/Unix but do dip my toe in every once in a while. Looking forward to trying out W10 on a working box, hopefully later this year.

      1. AnthonyP69

        Hate to tell you this but the X220 doesn't run that software.

        The Lenovo issue was with consumer products. Lenovo did have an issue with its Corporate product called System Updater but it has now been patched.

        These articles seem to miss the point, most of the issues are with the cheap arse comsumer products. Wish they would list the machines or family the software is used on before carrying on about security issues.

        1. Anonymous Coward
          Anonymous Coward

          Thats because

          we ARE Cheap Arsed Consumers.

          Just cheap arsed consumers with a great deal more IT knowledge than a lot of CAC.

          1. andykb3

            Re: Thats because

            You mean there's lots of Cheap Arse Consumer Knowledge (or CACK) here?

            Couldn't agree more :)

    4. mmaug

      "Meh. The first thing I do with a new laptop is format and install GNU/Linux anyway."


    5. Doctor Syntax Silver badge

      "format and reinstall anyway."

      ...and hope the bar stewards haven't put something nasty in firmware.

    6. Sebastian A

      Understandable, sure, but it really shouldn't be necessary. It's like buying a new car and having to paint over it to get rid of the scratches and full-panel car yard logos.

    7. Mark Cathcart

      Which won't help at all if the vulnerability is in the management "firmware".

    8. Anonymous Coward
      Anonymous Coward

      "First thing I do..."

      That's likely a strong majority of Reg readers. We are not typical. 99% of computers bought by consumers are not reinstalled and keep the crapware. It is a big problem, even if the technically inclined minority doesn't suffer from it.

      You might as well argue that phishing isn't a problem because you are smart enough not to fall for it. Or that armed robbery of your home isn't a problem because you have an alarm and keep a loaded gun on your nightstand.

      1. Hans Neeson-Bumpsadese Silver badge

        Re: "First thing I do..."


        I consider myself a typical Reg reader, I work in software dev/design and know plenty enough about computers to build my own from component parts, install *only* the software I want, and have been doing that I built my first Win 95 machine. But here's the thing....

        I'm not going to use Linux for my main machine at home. The main applications I use for home use are Windows only (OK, Mac as well, but I'm not making that particular jump because reasons).

        Secondly, I have a life. Last time I needed a new PC, I went to the local store, found one with the specs I needed. I bought that and spent a small number of hours copying data and installing software.

        Now, I have a machine with some bloatware (mostly disabled). It's not quite what I want, but I was able to get running relatively quickly and conveniently, compared to sourcing umpteen component parts and building everything from scratch.

        Even some IT pros do it the consumer way when time is more precious than achieving tech Nirvana.

    9. DropBear

      Huh? "Reinstall"...? From what?!? No laptop I have seen in the last decade came with any sort of installation media...

      1. Hans Neeson-Bumpsadese Silver badge

        RE: installation media

        I got a new laptop from Chillblast last year, and it came with OS installation media. Mind you, as it came from Chillblast, it wasn't pre-loaded with bloatware, so my observation may well be moot.

    10. Aodhhan


      What do you do the reinstall with, the disks which come with your system? Pfftt.. you're just reinstalling the same crap. Look thru the registry after you do the reinstall and you'll see. I don't see most people purchasing a new laptop which comes with an OS, reformatting it and purchasing a clean copy of Microsoft or Apple OS.

  2. NoneSuch Silver badge

    The OS isn't that great either...

  3. vir

    "a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivized crapware"

    Surely "a rage-inducing amount" is a more accurate term?

  4. John Smith 19 Gold badge

    "vendor-incentivized crapware,"

    I like that. VIC.

    Sound right.

    Because it is.

    And vendor updaters?

    I don't even know what a Windows Binary Table is.

    1. Vic

      Re: "vendor-incentivized crapware,"

      I like that. VIC.



  5. Shadow Systems Silver badge

    It's the MS Signature Editions that are truely scary.

    Those are _supposed_ to come free of anything but the bare OS, the drivers required to make the device function, & any specific MS Office style software indicated by the customer. It's _not_ supposed to include any 3rd party bloatware since the whole point of paying extra for the MSSE is that the manufacturer isn't getting the subsidies from said 3rd party entities.

    So to have the MSSE models riddled with such security flaws implies it's not necessarily the 3rd party crap that's the issue, but the manufacturer's _Drivers_ that open you to such security nightmares.

    How the hell are you supposed to protect against something like that? Simply Nuke&Paving the machine to reinstall a fresh copy of the OS is nice, but then you've got to go grab the drivers so you can use all the nifty hardware - those same drivers that open you up to be violated. Unless you're installing a different OS on it entirely that uses different drivers, you're only back where you started.

    And doing a N&P to a system to give it a fresh start isn't something your typical John Q. Public is going to know how to do, have the time to do, or give a damn to even pay someone else to do for him - he's just shelled out a thousand or more for his new shiny, damned if he'll shell out even more just some computer wonk can futz with it before he gets to play with his new toy.

    How are you supposed to secure your machine if it's already wide open before it arrives? Spend the next few (hours|days|weeks) removing all the crap, patching it to try & stop the leaks, and pray that you're safe, or just throw up your hands to install Linux/BSD instead? That's not something the average user will know how to do, thus leaving the computer wonks to try & educate them about why their nice new shiny is merely a highly polished turd. =-(

    1. Anonymous Coward
      Anonymous Coward

      Re: It's the MS Signature Editions that are truely scary.

      Seems the only "safe" way to run Windows is in a VM these days. For two reasons:

      1. The VM means you can use largely vanilla drivers regardless of the host platform, reducing your vulnerabilities.

      2. Most malware is written to detect and not run in a VM, making it an effective antivirus solution in its own right. (A third party one to mop up though is still advised.)

      The downsides include reduced performance (especially for video) and some legitimate software will refuse to run in a VM.

      I had similar assumptions about the "signature editions", looks like those were unfounded.

    2. Fuzz

      Re: It's the MS Signature Editions that are truely scary.

      I think the vulnerabilities are in the OEM driver update software rather than the drivers themselves. It's a shame that the MS signature editions still contain these crummy bits of software. Driver packs for computers should be a zip containing the raw driver files with the inf and no stupid installer. Then just let Windows find the drivers.

      1. Privatelyjeff

        Re: It's the MS Signature Editions that are truely scary.

        I try and open the installers in 7-Zip and extract the files I need and toss away everything else.

      2. Phil Kingston

        Re: It's the MS Signature Editions that are truely scary.

        I tend to just unzip the exe of those hateful driver installers and drag out the driver files.

        But users shouldn't have to do that.

        The more the manufacturers are called out on all theie crap, the better.

  6. Lars Silver badge

    Just load


    1. BitterExScientist

      Re: Just load

      ... +1 As long as you're not making that suggestion to the manufacturers for their consumer PCs. Just imagine the enhancements they could do then, or look at the nonsense the carriers and manufacturers do to Android phones.

      This is one case where I would wish Microsoft would be more of an industry bully, if it didn't seem like they're now aiming for these revenue sources as well.

      Can I please pay money to receive a computer that already works and doesn't spy on me?

      1. Herb LeBurger

        Re: Just load


        I was at a developer conference recently where Dell had a booth for their Project Sputnik. I asked the dude at the booth what it was all about, he explained that they are Dell laptops with Linux preloaded. I asked "why not just install Mint on a ThinkPad?". He replied, "well if you want to go to all that trouble...". It's no trouble at all, I've been doing it for so long I don't even find it a chore. Just part of playing with the new shiny. And does anyone think Dell can resist putting crapware on their Linux boxes?

        1. Shadow Systems Silver badge

          @Herb LeBurger, RE: Dell & Linux.

          I've been doing research into purchasing my next system, a desktop with a 6th gen, quad core, 4GHz Intel i7 with 32Gigs of DDR4 RAM & a 250Gb M.2 SSD.

          I have gotten quotes from folks at places like System76 for as low as USD$1,200, but when asked about such a system from Dell, the rep gave me a quote for over USD$1,600. That's with Ubuntu on it, NOT Windows. I was shocked sick at the price & asked WTH made a *Linux* system so expensive from Dell. He replied that it was "because we have to use only certain components to be compatible with the twitchy nature of Linux". O.o? W.T.F?

          I thanked him for his time & struck Dell off my list of vendors from which to purchase. That same desktop (from Dell) but with Windows would have cost me about the same as from S76. I'm so disgusted with Dell at this point I want to go slap someone there & demand to know what they were thinking, IF they were thinking at all.

          I know it's only my anecdotal evidence & YMMV, but if you want a Linux machine I'd say go with anyone OTHER than Dell. They seem hell-bent on screwing you over for the "priveledge". =-|

          1. MacroRodent Silver badge

            Re: @Herb LeBurger, RE: Dell & Linux.

            but if you want a Linux machine I'd say go with anyone OTHER than Dell.

            All big PC vendors are like that. Dealing with a small-scale PC assembler where you can specify known Linux-friendly components is a better way. The result is also likely to be more upgradeable and repairable, as it will contain only generic parts, instead of funny stuff specially molded for Dell, HP or whatever.

      2. MacroRodent Silver badge

        Re: Just load

        .. +1 As long as you're not making that suggestion to the manufacturers for their consumer PCs. Just imagine the enhancements they could do then, or look at the nonsense the carriers and manufacturers do to Android phones.

        On the other hand, a laptop manufacturer that simply pre-loaded an up-to-date, well-known Linux distribution with NO "enhancements" (apart from harmless ones, like a branded default background image) could now stand out from the crowd, and win friends.

        Not doing this was where the original mini laptops went badly wrong. They had oddball Linux versions that didn't have any software repositories, no community, and required the manufacturer to do all support, which they typically did not do well, and soon dropped (my experience with an Asus EE PC 901).

  7. benderama

    It's like the world never discovered DeCrapifier

    1. Anonymous Coward
      Anonymous Coward

      Does that come in a binary called "vmlinux"?

    2. Anonymous Coward
      Anonymous Coward

      I tried it and it de-friended everyone on Facebook and broke up with my girl friend..

      1. Myvekk

        So no real loss then? Now you have time and money for more toys!

  8. Herby

    Uninteresting, but simple test...

    Just put a brand new machine on a publicly available (exposed) IP address, and wait. See how long it takes a "brand new" machine to become taken over.

    My understanding is "not long" is a typical answer.

    No, I wouldn't do this without some very good isolation and monitoring.

    1. Rusty 1

      Re: Uninteresting, but simple test...

      Something I find intriguing about this (potential) suggestion is how to go about achieving it.

      Assuming a domestic environment, every router I've come across (OK, not so many - a couple of Zooms, a few from BT, and a bunch from Draytek), really are plug-and-play with complete blocks on incoming connections. You have to fight (sometimes hard) to permit incoming connections.

      Just what are people doing to be exposed to intrusions? Is it really as easy as walking naked into the whore pits of 'pork?

      1. Roland6 Silver badge

        Re: Uninteresting, but simple test...

        Something I find intriguing about this (potential) suggestion is how to go about achieving it.

        Surely the simplest is to use a mobile broadband dongle and disable the Windows firewall? Then the system becomes a node on the Internet with all ports potentially open - assuming no carrier NAT...

        1. DropBear

          Re: Uninteresting, but simple test...

          "Surely the simplest is to use a mobile broadband dongle and disable the Windows firewall? Then the system becomes a node on the Internet with all ports potentially open - assuming no carrier NAT..."

          That's a mighty bold assumption. With the industrial amount of these things in existence at each carrier and the existing IPv4 shortage, do you seriously think they just give you a routable IP for each one of those...? Out of curiosity, I just switched my WiFi off - and my IP immediately jumped to a "local" 10.x.x.x one...

          1. Roland6 Silver badge

            Re: Uninteresting, but simple test...

            That's a mighty bold assumption. Yes!

            Basically, as Rusty 1 indicates, in the domestic environment, without doing battle with the router configuration, the only/simplest way to expose an end system to the Internet is to directly connect it to the Internet without a router. There are really only two options: connect the system directly to an xDSL modem - common practice in the early years of ADSL or use a mobile dongle - which is also becoming less common as users switch to using handsets or MiFi devices as WiFi hotspots.

            Now both of these as you indicate are conditional on whether or not your carrier/ISP provider uses NAT or not. From my experience (in the UK) it seems many ISP's do give out fully routable IP addresses; whilst I've done some rather extensive trials with mobile broadband - using the dongles as backup to a leased-line service, I've not actually bothered to verify that my system has exclusive use of the dynamically assigned IP address.

    2. Vic

      Re: Uninteresting, but simple test...

      Just put a brand new machine on a publicly available (exposed) IP address, and wait. See how long it takes a "brand new" machine to become taken over.

      For many years, Russell Coker put the address of his machine on his website, along with the root password. Yes, you could SSH in as root.

      It's gone now, but AFAIK no-one ever managed to do anything nefarious with it...


  9. Roland6 Silver badge

    System Selection?

    Be interested in knowing more about the basis for including the various systems.

    To me the results would be much more interesting and relevant if they had analysed a business grade machine such as the Lenovo Thinkpad and similar from Dell, HP etc.

  10. Bronek Kozicki Silver badge

    Depressing list

    ... but there is a silver lining - Lenovo seem to have learned a lesson. Now is the time to teach it to other vendors.

  11. GrumpyKiwi

    Lenovo Solution Centre is the first thing I remove from our new Lenovo's. Not because of the security vulnerability, but because it's a nagging piece of crap that keeps prompting users to run updates that they can't complete because they don't get Admin rights on their laptops.

  12. Anonymous Coward
    Anonymous Coward

    Buyers must stop buying until there is choice...

    I refuse to help family friend / colleagues anymore with Windows. Been doing this now for about 5 years and its lost me some friends and gotten sneers. But hey, its necessary. Ask the shop for Linux, and if they stare blankly then walk away. But do not buy the lie that is Windows-10 / bloatware infested PC's..

  13. W. Anderson

    Swiss cheese of Operating System software

    Just today, ZDNet had an article directly comparing Mac OS X with Windows 10. Unfortunately the article authors chose to focus on superfluous criteria such as "popularity" of OS, "installed base" - by numbers and very innocuous concepts of ease of use and preference, purely personal choice criteria.

    Instead the facts of this TheRegister article should have been an important consideration, along with elements of Reliability, Flexibility/Scalability, Return-on-Investment (ROI), performance and critically Very Good Security - the topic of this article.

    A few years back IBM did a detailed study on the total costs - initially and long term (1 year) of a name brand Windows PC costing $500.00 from Retailer. At end of the year, the overall costs rose to more than $1400.00 given the costs of Operating System (OS) regular as well as malware removal/re-install of OS and applications, and the value of "lost productivity" of not having designated user doing meaningful work, other than challenging Tech Support/Help Desk almost every day.

    The details of this article should once-and-for-all put to rest the argument and noise from Microsoft shills that their beloved OS in the great performer or has value always claimed.

    I personally prefer an established GNU/Linux distribution that has not only proven unequivocally more reliable, powerful especially more secure than any iteration of Windows -, but has been/is being adopted in moat European Union countries, the US Pentagon, many US and International technology Universities, NASA and EU space Agencies, The US department of Energy research laboratories (11 in all) and dozens more governments, national education systems, technology organizations, the USA and international financial/Banking sectors, and more.

    1. Roland6 Silver badge

      Re: Swiss cheese of Operating System software

      Re: ZDNet article

      These types of articles are far too common.The really worrying thing is how many I've seen over the years that have evaluated security software eg. AV and Firewalls on superfluous criteria that have no real bearing on whether the software can actually do the job it is intended to do.

  14. energystar
    IT Angle

    The News here...

    Is that it's still News for a lot of people.

  15. ben_myers

    Kit accessed???

    The kit accessed are all computers that can be bought cheaply in mass market big box stores, i.e. cheap consumer grade computers. Of course the vendors will load crapware on their crap computers.

    How about if the company doing the study does some heavy lifting for a change and repeats its analysis with business-class computers such as Lenovo Thinkpads and Dell Latitudes? Betcha the results would be different, as with Snapfish, found only on Lenovo consumer models.

    It's a shame that the chart with the green check marks and red X's does not have an accompanying legend. Is green "good", i.e. no vulnerability, or is it an affirmative check that there is a vulnerability?

    1. Anonymous Coward
      Anonymous Coward

      Re: Kit accessed???

      We found the eDellRoot certificate on one of the Dell workstations bought a year or two back. So no, probably not different there.

  16. Anonymous Coward
    Anonymous Coward

    Just Buy

    An Apple Macbook

    1. Shadow Systems Silver badge

      Re: Just Buy

      For starters please see my post in reply to Herb LeBurger above for background, then return to this post. Done that? Good.

      In doing my research I tried to configure a Mac Mini to match the specs already mentioned, or as closely as possible. The best that Apple could do was a 4th gen, dual core, 3GHz Intel i7 with 32Gigs of DDR3 & a 250GB SATA-3 SSD for USD$1,400. Read that again. A two generation old, half as many cores, a full GigaHertz slower, slower RAM, & a slower SSD, for *MORE* money than others wanted for better hardware.

      From a consumer's POV (especially taking the wallet into account), it's VERY hard to justify spending more to get less, even if it DOES free you from the shackles of Microsoft. I mean, would you buy an electric car over a gas powered one, if the electric could only go half as fast, half as far, & used technology that other car manufacturer's had stopped using nearly two years ago? Sure it's fast, sure it gets the job done, but being asked to spend more for less is just galling.

      So yes buying a Mac is a good way to get off the MS treadmill, but not when you're having to pay more to get less. You've traded DOWN in capability to trade UP in changing the shackles of MS for Apple. Bah.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just Buy


        I traded up to OSX so I could get my life back, not have to keep nursing CRAPOS to get anything done, and now I am more productive.

        All my toys talk to each other, seamlessly, no more android/windows dicking about.

        It quality over quantity, and I would gladly pay more for less if it means I have a better quality of life.

        You did read this

        didnt you?

        1. gizmo23

          Re: Just Buy

          Well that's just the 'time or money' equation. If you're in the happy position of always being able to get more money, then time will be more valuable because it is a limited resource. However, a lot of people don't have that luxury and have to compromise between the two. In that case the cost may exceed the benefit because the time gained has to be spent getting the extra cash to be able to afford that shiny macbook.

    2. Anonymous Coward
      Anonymous Coward

      Re: Just Buy

      Yep, and control the SCADA network how? Not to mention the myriad of devices out there that don't have MacOS X drivers.

      Ohh, run Windows/Linux you say? I can tell you from personal experience, running Linux on a MacBook can be a nightmare when it comes to WiFi as Broadcom show complete and utter contempt for the open source community regarding their chipsets. Apple's EFI firmware isn't any better either.

      So no, not a "solution".

  17. jzl

    The onus is now on Microsoft

    The major vendors are a mess when it comes to drivers and software. All of them. Update strategies are adhoc and patchy, at best. Drivers are invariably buggy, inconsistent and bloaty. And it's been this way for years.

    There are only a small number of major manufacturers, chipsets and key devices now, so perhaps it's time that Microsoft started directly writing first class drivers that support the entity of these machines as a whole.

    It's the only way they've got a hope of bringing the user experience up to where it should be.

    1. nematoad Silver badge

      Re: The onus is now on Microsoft

      " perhaps it's time that Microsoft started directly writing first class drivers that support the entity of these machines as a whole."

      And where pray is the profit for MS in doing that?

      They didn't get where they are today by giving the purchaser what they need, just what they are given. MS has made a lot of money by pumping out the absolute minimum in the OS. Want any more? That'll cost you. Having the drivers included with the OS is not impossible, just look at Gnu/Linux to see that. It's just that MS is fat and happy with the way other people pick up the pieces to actually make the thing work and that's not going to change.

      1. jzl

        Re: The onus is now on Microsoft

        The profit in that is that they will sell more. Just ask Apple if you want to see a link between happy customers and profit.

        1. DropBear

          Re: The onus is now on Microsoft

          Looking at Apple all I see is the link between crass margins and profit.

    2. Roland6 Silver badge

      Re: The onus is now on Microsoft

      perhaps it's time that Microsoft started directly writing first class drivers

      Whilst I'm not sure if their drivers are "first class", MS do write drivers for the Surface where MS, like Apple, has full and total control over the hardware.

  18. rohnski

    Don't keep the problems secret!

    I just bought a new Asus.

    So don't just say there is buggy crappware installed, either give us the program names for each laptop or give us a link to an article that does name them. I really want to know if I can uninstall this crapware or is it "required" by the builder?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020