It's time to ban bloatware, the persistent PC security pest

By installing flaw-ridden apps, computer makers are punching security holes in new PCs.

Just when you thought you couldn't hate "bloatware" any more than you already did, it gets worse.

Last week, a security researcher discovered three separate flaws in Dell, Lenovo, and Toshiba software that comes preinstalled on new PCs and laptops. The proof-of-concept code was published online, potentially putting millions of PC users at risk of attack, and catching the PC makers off guard.

The researcher's concluding words? "Preinstalled crapware is bad." It was a tough lesson in software security, one that wouldn't have needed teaching had the companies not bundled their own homebrew software with their new PCs.

It's a lesson that companies just can't seem to learn from -- not least Dell and Lenovo, whose devices have been compromised by similar security issues in the past.

A MILLION TIMES 'YES'

​Is it time to force PC makers to disclose how much they make from crapware?

It's time to shine a light on this dark corner of the PC market.

Read More

Bloatware, otherwise known as junkware or crapware, is software that comes preinstalled on new PCs and laptops, and some Android devices. And for many consumers it's the bane of their computer's existence. With the holiday season already in full swing and gift giving just around the corner, expect to hear a few stories about the long-expected bloatware resurgence.

But did it ever go away? Despite promises that PC and phone makers would ditch the bloatware in the wake of a high-profile privacy controversy involving the unwanted software, it seems as prevalent today as it ever has been. One quick look at a number of laptops in Best Buy shows clearer than ever how prevalent unwanted software can be.

And people are starting to notice again. Sister-site CNET's latest HP Pavilion x2 review specifically called out "needless third-party apps" and "advertising shortcut links" littered across the desktop and throughout the PC.

For both the PC maker and the software makers, it's a great way to generate money on low-margin or free products.

Granted, you're not always going to get the McAfee antivirus free trial, the bundled browsers, the Java plug-ins, and shortcuts on your home screen paid for by major websites hoping to score some cheap advertising. You're more likely now to land a company's own software, such as monitoring and networking apps, for example.

These apps have shown to punch security holes in what would be ordinarily a relatively safe and secure computer. Windows, like any operating system or software, has flaws that will be inevitably exploited by attackers, but they are regularly isolated, patched, and fixed. These preinstalled apps may help check your network health, and update your software, and keep your monitoring services all in one place. They can be useful to a small percentage of novice users.

Without seeing the code, we can only speculate. But in most cases we have no idea what's going on in these apps, and history has not been kind to them.

In patches we trust: Why software updates have to get better

Trust in the software companies to protect those devices is wearing thin.

Read More

In Lenovo's case, Superfish was meant to help users shop online for alternative products, but weakened encrypted connections instead. In Dell's case, its software was designed to facilitate customer serviceability, messaging, and support functions, but could have been used to conduct man-in-the-middle attacks.

Shipping laptops and mobile devices with insecure or buggy apps is, as history has shown, like installing a "backdoor" to your personal data.

Not all devices are created equally, and some are free from bloatware. There's no hard and fast rule on exactly which consumer laptops get which products, though in most cases, enterprise and business products are free from the unwanted software

As ZDNet's Adrian Kingsley-Hughes has said, bloatware can be "near impossible" to remove. The best bet is to avoid it altogether.

Microsoft Signature range of PCs and Google's Nexus line-up of branded devices both come free of bloatware. Apple's own products do not come with bloatware, unless you throw its own unremovable apps under that umbrella. And Linux, though rarely used in the consumer market, does not come with bloatware.

Until consumers actively reject devices with bloatware, the PC industry has little motivation to change.