HP Support Assistant flaws leave Windows devices open to attack

After ten issues were reported in the pre-loaded ‘bloatware’ last year, three privilege escalation bugs remain unfixed

Software pre-installed on all of HP's Windows devices has a number of major security flaws that could lead to critical attacks if successfully exploited. 

HP Support Assistant, which monitors device health and automates driver updates, contained ten different serious vulnerabilities, including two arbitrary file deletion bugs, five local privilege escalation flaws, and three remote code execution (RCE) vulnerabilities. 

Support Assistant is an example of pre-loaded software that ships with Windows devices running Windows 10 as well as legacy systems Windows 8 and Windows 7. Other prominent manufacturers, including Dell and Lenovo, ship devices with similar health-check software, which many regard as ‘bloatware’. 

HP’s iteration allows users check the web for the latest software and driver updates, offers diagnostic tools that can fix hardware and software issues, and offers health alerts service when components may fail.

These applications, however, may not have the same level of oversight as other types of software, according to independent security researcher Bill Demirkapi, and may lead to security gaps forming.

“I always have considered bloatware a unique attack surface. Instead of the vulnerability being introduced by the operating system, it is introduced by the manufacturer that you bought your machine from,” he said. 

“More tech-savvy folk might take the initiative and remove the annoying software that came with their machine, but will an average consumer? Pre-installed bloatware is the most interesting, because it provides a new attack surface impacting a significant number of users who leave the software on their machines.”

Six of the flaws have been fixed since they were initially reported in October 2019, although three remain unpatched. These unresolved flaws can allow malware to compromise a device by handing any attacker elevated access privileges. The RCE and file deletion bugs were fixed in previous updates.

After the issues were first reported, HP released an update in December which claimed to have “resolved the issues reported”, although Demirkapi soon identified several issues that were yet unresolved. He then filed a second report with the company. 

The manufacturer scheduled a further fix in February, set to be released in early March, although this was delayed to 21 March due to COVID-19. This second update was issued on time but failed to fix three outstanding issues.

Given a handful of the bugs remain unresolved, Demirkapi has recommended that uninstalling the software is “the best mitigation” to protect against the attacks described, as well as any future vulnerabilities that may arise.

The next best method of protecting devices is by updating the agent to the latest available version, which will mean some of the issues are fixed, although not all at the time of writing. 

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Bank-targeting malware disguises itself as video conferencing software
Security

Bank-targeting malware disguises itself as video conferencing software

19 Oct 2020
What is shoulder surfing?
Security

What is shoulder surfing?

19 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
Microsoft releases two emergency Windows patches
Security

Microsoft releases two emergency Windows patches

19 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020