PC Matic: Still Not As Amazing As Seen On TV
September 13, 2016 • RBS
Back in February 2016, we conducted a very thorough audit of PC Matic. If you are not already familiar with this software, it is a so-called security product heavily advertised via infomercials. It supposedly provides “superior security” and is “all you’ll ever need”. However, during our audit we found that PC Matic had serious vulnerabilities, failed to deliver on some promises, and even contained misleading statements about its features and capabilities.
It is now about half a year later since our original report was published. PC Pitstop, the creators of PC Matic, has to our knowledge not warned their customers about the vulnerabilities we uncovered. Furthermore, after brief communication before and after publication of our blog post and whitepaper, we have not heard anything further from PC Pitstop. To this date, we are not aware of any fixed versions.
If PC Pitstop is the serious security company they claim to be, one would expect them to understand the importance and proper way to work with researchers. They should also have fixed all of the reported vulnerabilities by now. We recently happened to see yet another late night infomercial pushing the product, which reminded us about them and we decided to quickly re-test PC Matic to determine its current security state. While there have been minimal improvements, the results were depressing…
We recommend reading our original blog post and optionally detailed report first, as we here sum up our latest findings with references to the original audit. Testing was this time performed on August 31st and September 1st, 2016 against version 188.8.131.52, which was the latest available.
- PC Matic is still affected by most of the originally reported vulnerabilities. Only one vulnerability was fixed in the bundled ActiveX controls. The PCPitstop3D.Perf.1 ActiveX control no longer allows creating arbitrary files and writing attacker-controlled content to them (see section 5.1 of the original report). The PoCs used for testing the ActiveX controls have been made available here.
- PC Matic is still vulnerable to Man-in-the-Middle (MitM) attacks allowing arbitrary code execution on the user’s system. While PC Pitstop did ensure some communication is now over HTTPS, HTTP is still used to communicate with e.g. utilities.pcpitstop.com. Content from this domain is displayed in PC Matic and due to the insecure design of the software, where script code is not run in protected mode, it allows an attacker to perform arbitrary actions on the client system with the permissions of PC Matic. See section 5.5 of the original report for more information.
- The insecure design of PC Matic grants certain websites that are NOT controlled by PC Pitstop the ability to run arbitrary code on the user’s system. As described in the original report, the design of PC Matic is considered insecure due to the permissions granted to display web content within the process. Considering PC Matic loads web content from certain 3rd party websites, this is highly problematic. Even though communication with these websites happens over HTTPS, a company or home user, who has made the decision of trusting PC Pitstop with their security, may not appreciate that 3rd parties have the same capabilities to run arbitrary commands on their systems as PC Matic.
At least the following three resources are accessed unsafely by PC Matic:
- PC Matic still supports Windows XP, but does not properly protect such systems; instead they are made more insecure. See section 6.1 of the original report for more information.
- PC Matic’s patch management capabilities are still limited and unreliable. Patch management still seems to only be offered for very few applications. Furthermore, testing had PC Matic e.g. recommend updating Wireshark to version 2.0.2 released February 26, 2016. At the time of writing, the latest version fixing known vulnerabilities is 2.0.5. Also, scanning a Windows 7 system with missing security updates produced no warnings. See section 6.2 of the original report for more information.
- PC Matic is still advertised as “Made in the USA”, while containing 3rd party components not made in the USA. One change compared to the previous audit is that PC Matic no longer bundles the ThreatTrack VIPRE technology. However, the ad blocking components are still just rebranded versions of uBlock and Adblock Plus, which are not fully developed in the USA. See section 6.3 of the original report for details.
Based on our previous published research and the lackluster response to our findings, we recommend that you do not use PC Matic. In the past six months the vendor has failed to address serious, known vulnerabilities in the product that currently puts their clients at substantial risk. It appears that PC Matic “continues to flourish” and based on their marketing in many people’s view it may provide certain security benefits. We believe that those perceived benefits are outweighed by the concerns about the vendor’s ability to develop a security product that is actually secure as well as properly respond to reported vulnerabilities.
PC Pitstop, the maker of PC Matic, has chosen to rely on a very problematic and insecure design and have on top demonstrated to not fully understand the negative implications of said design. It is also clear that PC Pitstop lacks the required capabilities to properly secure the product by not properly addressing vulnerabilities in the bundled ActiveX controls, failing to fully implement something as basic as HTTPS to protect highly sensitive communication between the client and servers, and allowing web content from 3rd parties to run in an unrestricted manner.
For consumers’ sake, we hope that PC Pitstop puts a clear focus on immediately addressing the outstanding vulnerabilities and security concerns with PC Matic, which are currently putting their customers at risk.