HP Support Assistant flaws leave Windows devices open to attack

After ten issues were reported in the pre-loaded ‘bloatware’ last year, three privilege escalation bugs remain unfixed

Software pre-installed on all of HP's Windows devices has a number of major security flaws that could lead to critical attacks if successfully exploited. 

HP Support Assistant, which monitors device health and automates driver updates, contained ten different serious vulnerabilities, including two arbitrary file deletion bugs, five local privilege escalation flaws, and three remote code execution (RCE) vulnerabilities. 

Support Assistant is an example of pre-loaded software that ships with Windows devices running Windows 10 as well as legacy systems Windows 8 and Windows 7. Other prominent manufacturers, including Dell and Lenovo, ship devices with similar health-check software, which many regard as ‘bloatware’. 

HP’s iteration allows users check the web for the latest software and driver updates, offers diagnostic tools that can fix hardware and software issues, and offers health alerts service when components may fail.

These applications, however, may not have the same level of oversight as other types of software, according to independent security researcher Bill Demirkapi, and may lead to security gaps forming.

“I always have considered bloatware a unique attack surface. Instead of the vulnerability being introduced by the operating system, it is introduced by the manufacturer that you bought your machine from,” he said. 

“More tech-savvy folk might take the initiative and remove the annoying software that came with their machine, but will an average consumer? Pre-installed bloatware is the most interesting, because it provides a new attack surface impacting a significant number of users who leave the software on their machines.”

Six of the flaws have been fixed since they were initially reported in October 2019, although three remain unpatched. These unresolved flaws can allow malware to compromise a device by handing any attacker elevated access privileges. The RCE and file deletion bugs were fixed in previous updates.

After the issues were first reported, HP released an update in December which claimed to have “resolved the issues reported”, although Demirkapi soon identified several issues that were yet unresolved. He then filed a second report with the company. 

The manufacturer scheduled a further fix in February, set to be released in early March, although this was delayed to 21 March due to COVID-19. This second update was issued on time but failed to fix three outstanding issues.

Given a handful of the bugs remain unresolved, Demirkapi has recommended that uninstalling the software is “the best mitigation” to protect against the attacks described, as well as any future vulnerabilities that may arise.

The next best method of protecting devices is by updating the agent to the latest available version, which will mean some of the issues are fixed, although not all at the time of writing. 

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories
5G

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021