Security researcher Patrick Barker, along with several others, recently discovered that Samsung’s SW Update software was disabling Windows Update by resetting it to “Check for updates but let me choose whether to download or install them” every time Windows was rebooted.
“SW Update is your typical OEM updating software that will update your Samsung drivers, the bloatware that came on your Samsung machine, etc.,” Barker wrote in a blog post describing the issue. “The only difference between other OEM updating software is, Samsung’s disables [Windows Update] from working as the user intends it to.”
In a statement provided to The Register, a Microsoft spokesperson said, “Windows Update remains a critical component of our security commitment to our customers. We do not recommend disabling or modifying Windows Update in any way as this could expose a customer to increased security risks. We are in contact with Samsung to address this issue.”
Still, one commenter on Barker’s blog post questioned the importance of the discovery. “While curious, I don’t think this is all that much outside the industry process (HP does much the same and maybe others as well). … At worst, Samsung (and HP and others?) are guilty of poor communication (just as users are guilty of not paying enough attention to checking for updates and security in general),” the commenter wrote.
In response, Samsung recently issued the following statement: “Samsung has a commitment to security and we continue to value our partnership with Microsoft. We will be issuing a patch through the Samsung Software Update notification process to revert back to the recommended automatic Windows Update settings within a few days.”
“I’m very glad Samsung is committed to implementing a resolution to this issue so soon. … I feel OEMs need to disclose whatever they intend with their users with their software, and if possible, giving them a choice,” Barker wrote.
“This episode with Samsung is reminiscent of the Superfish scandal of February in 2015,” Rapid7 engineering manager Tod Beardsley told eSecurity Planet by email. “In that case, Lenovo was bundling adware with new computers, which was, in turn, inserting a self-signed certificate in order to man-in-the-middle (MITM) web traffic and serve ads. This behavior had the side effect of completely disabling endpoint SSL security for secure websites.”
“Like with Samsung, Lenovo offered no practical mechanisms for end-users to opt out of this behavior short of reinstalling with a fresh operating system,” Beardsley noted.
“Independent researchers like Patrick perform an incredibly valuable service by choosing to investigate how technology works, and pointing out when short-sighted design decisions undermine the security of the devices that we all rely on to live our lives,” Beardsley said. “It’s unknown today how many Samsung customers have been accidentally skipping critical software updates, or for how long.”