author photo
By SecureWorld News Team
Wed | Mar 27, 2019 | 5:15 AM PDT

Ignoring persistent software or hardware vulnerabilities has its consequences, as ASUS is discovering in the wake of the ShadowHammer backdoor exploit of its PC update utility.

iTWire reports:

Security issues with the ASUS Live Update utility, which is claimed to have been used in a supply chain attack by a nation-state, were highlighted as far back as 2016, with a security analysis of OEM updaters by three researchers from the firm Duo Security slamming the Taiwan-based firm over its lax approach to updating.

Duo Security's Darren Kemp, Chris Czub and Mikhail Davidov wrote in their study: "ASUS appears to be one of the worst OEMs we looked at, providing attackers with functionality that can only be referred to as remote code execution as a service.

"The 'Asus Live Update' software contains no security features whatsoever, allowing for easy exploitation. Oh yeah, we should probably mention they use this atrocity to push out BIOS updates too."