HP Support Assistant flaws leave Windows devices open to attack

After ten issues were reported in the pre-loaded ‘bloatware’ last year, three privilege escalation bugs remain unfixed

Software pre-installed on all of HP's Windows devices has a number of major security flaws that could lead to critical attacks if successfully exploited. 

HP Support Assistant, which monitors device health and automates driver updates, contained ten different serious vulnerabilities, including two arbitrary file deletion bugs, five local privilege escalation flaws, and three remote code execution (RCE) vulnerabilities. 

Advertisement - Article continues below

Support Assistant is an example of pre-loaded software that ships with Windows devices running Windows 10 as well as legacy systems Windows 8 and Windows 7. Other prominent manufacturers, including Dell and Lenovo, ship devices with similar health-check software, which many regard as ‘bloatware’. 

HP’s iteration allows users check the web for the latest software and driver updates, offers diagnostic tools that can fix hardware and software issues, and offers health alerts service when components may fail.

These applications, however, may not have the same level of oversight as other types of software, according to independent security researcher Bill Demirkapi, and may lead to security gaps forming.

“I always have considered bloatware a unique attack surface. Instead of the vulnerability being introduced by the operating system, it is introduced by the manufacturer that you bought your machine from,” he said. 

Advertisement - Article continues below

“More tech-savvy folk might take the initiative and remove the annoying software that came with their machine, but will an average consumer? Pre-installed bloatware is the most interesting, because it provides a new attack surface impacting a significant number of users who leave the software on their machines.”

Advertisement - Article continues below

Six of the flaws have been fixed since they were initially reported in October 2019, although three remain unpatched. These unresolved flaws can allow malware to compromise a device by handing any attacker elevated access privileges. The RCE and file deletion bugs were fixed in previous updates.

After the issues were first reported, HP released an update in December which claimed to have “resolved the issues reported”, although Demirkapi soon identified several issues that were yet unresolved. He then filed a second report with the company. 

The manufacturer scheduled a further fix in February, set to be released in early March, although this was delayed to 21 March due to COVID-19. This second update was issued on time but failed to fix three outstanding issues.

Given a handful of the bugs remain unresolved, Demirkapi has recommended that uninstalling the software is “the best mitigation” to protect against the attacks described, as well as any future vulnerabilities that may arise.

The next best method of protecting devices is by updating the agent to the latest available version, which will mean some of the issues are fixed, although not all at the time of writing. 

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



K2View innovates in data management with new encryption patent

28 May 2020

HP unveils a host of work-from-home hardware

26 May 2020

HP Elite Dragonfly G1 review: An enterprise essential

29 Apr 2020
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020