Asus LiveUpdate vuln.

Saw this on reddit, and thought it was wicked cool (this is the authors site, where he did his writtup):

http://teletext.zaibatsutel.net/post/145370716258/deadupdate-or-how-i-learned-to-stop-worrying-and

His TL;DR

ASUS’ LiveUpdate software is preinstalled on computers shipped by ASUS. It is responsible for delivering updates, new versions of the BIOS/UEFI Firmware and executables for use with ASUS software. Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the “Administrators” NT group (“Highest Permissions” task scheduler). There is no verification or authentication of source or content at any point in this process, allowing trivial escalation to NT AUTHORITY\SYSTEM.

EDIT This vuln has been patched.

To ensure data integrity they should be using some form of hashing; wouldn't you say so as well?:o MD5

SHA-1

SHA-2

To ensure data integrity they should be using some form of hashing; wouldn't you say so as well?:o MD5

SHA-1

SHA-2

I had a Lenovo laptop that came pre bundled with "Superfish", which turned out to be not so super and a bit too fishy.

Lenovo security incident

Users had expressed concerns about scans of SSL-encrypted web traffic by Superfish Visual Search software pre-installed on Lenovo machines since at least early December 2014. This became a major public issue, however, only in February 2015. The installation included a universal self-signed certificate authority; the certificate authority allows a man-in-the-middle attack to introduce ads even on encrypted pages. The certificate authority had the same private key across laptops; this allows third-party eavesdroppers to intercept or modify HTTPS secure communications without triggering browser warnings by either extracting the private key or using a self-signed certificate.

To scan for Superfish go here. https://filippo.io/Badfish/

@ Huitz, I'm not too sure what all that means, but thanks for adding! I haven't really studied MitM, yet.