Vancouver, BC: July 31, 2009- A paper presented at the Black Hat security conference in Las Vegas (July 2009) by Alfredo Ortega and Anibal Sacco alleged certain vulnerabilities in Absolute® Software Corporation’s Computrace® system that purportedly could be exploited to allow control of a device by unauthorized persons. Absolute maintains that these allegations of vulnerability are unfounded and systems with Computrace are secure.
Computrace is not a rootkit and is not rootkit-like in behavior. Contrary to the authors’ statements, Computrace by design does not attempt to hide in the operating system or to evade control or modification of its settings by the system administrator. The system administrator always maintains management and control over the Computrace Agent. Our strength as a security solution relies on our ability to persist into clean installs of the operating system .
Our BIOS module allows no special undetected path into the operating system. Uncontrolled access to a computer system may allow some BIOS images to be tampered with by an expert. Attempting to alter the Computrace BIOS module for malicious purposes will not defeat conventional detection as claimed by the authors. Any alteration to the BIOS module will cause any popular antivirus software to alert the customer. More importantly, if the BIOS of a computer has been compromised by an attacker, that machine is exposed to innumerable other vulnerabilities far beyond the scope of the Computrace BIOS module. The presence of the Computrace module in the BIOS in no way weakens the security of the BIOS.
To clarify how Computrace operates:
Computrace-equipped computers are shipped from the manufacturer with the BIOS module turned off. The Computrace BIOS module is activated by the installation of Absolute software by our customers, and is never forced upon any user. Computrace is designed to be activated, deactivated, controlled and managed by the customer using encrypted channels.
If a valid Computrace installation is removed or damaged the persistent BIOS module will self-heal and restore the software and administrator's settings.
The one example of BIOS stub code, version 785, given in the report is not active in any BIOS to our knowledge. Our earliest released version of the Computrace BIOS module was version 802 over five years ago. Even if the BIOS vendor inadvertently included inactive dead code in the build of the BIOS examined, Absolute has no method to activate this version and it cannot be exploited by a malicious attacker.
On behalf of our customers, Absolute is committed to combating computer crime and data theft in concert with our major PC OEM partners. Absolute offers a unique solution to the increasing need to track, manage and protect mobile computers. The Computrace family of solutions has been responsible for the safe recovery of thousands of lost or stolen data-bearing devices. Customers authorize remote data delete operations daily on missing devices to protect their privacy.
This press release contains forward-looking statements and financial outlook that involve risks and uncertainties. These forward-looking statements and financial outlook relate to, among other things, the expected performance, functionality and availability of the Company’s services and products, and other expectations, intentions and plans contained in this press release that are not historical facts. When used in this press release, the words “plan,” “expect,” “believe” and similar expressions generally identify forward-looking statements. These statements reflect the Company’s current expectations. They are subject to a number of risks and uncertainties, including, but not limited to, changes in technology and general market conditions. In light of the many risks and uncertainties, readers of the press release should understand that Absolute cannot assure them that the forward-looking statements and financial outlook contained in this press release will be realized. Furthermore, the forward-looking statements and financial outlook contained in this press release are made as of the date hereof and the Company does not undertake any obligation to update publicly or to revise any of the included forward-looking statements and financial outlook, whether as a result of new information, future events or otherwise, except as may be required by applicable securities laws.
Absolute empowers more than 12,000 customers worldwide to protect devices, data, applications, and users against theft or attack — both on and off the corporate network. With the industry’s only tamper-proof endpoint visibility and control solution, Absolute allows IT organizations to enforce asset management, security hygiene, and data compliance for today’s remote digital workforces. Absolute’s patented Persistence®technology is embedded in the firmware of Dell, HP, Lenovo, and 22 other leading manufacturers’ devices for vendor-agnostic coverage, tamper-proof resilience, and ease of deployment. See how it works atwww.absolute.comand follow us at@absolutecorp.