IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

HP Support Assistant flaws leave Windows devices open to attack

After ten issues were reported in the pre-loaded ‘bloatware’ last year, three privilege escalation bugs remain unfixed

hp laptops

Software pre-installed on all of HP's Windows devices has a number of major security flaws that could lead to critical attacks if successfully exploited. 

HP Support Assistant, which monitors device health and automates driver updates, contained ten different serious vulnerabilities, including two arbitrary file deletion bugs, five local privilege escalation flaws, and three remote code execution (RCE) vulnerabilities. 

Support Assistant is an example of pre-loaded software that ships with Windows devices running Windows 10 as well as legacy systems Windows 8 and Windows 7. Other prominent manufacturers, including Dell and Lenovo, ship devices with similar health-check software, which many regard as ‘bloatware’. 

HP’s iteration allows users check the web for the latest software and driver updates, offers diagnostic tools that can fix hardware and software issues, and offers health alerts service when components may fail.

These applications, however, may not have the same level of oversight as other types of software, according to independent security researcher Bill Demirkapi, and may lead to security gaps forming.

“I always have considered bloatware a unique attack surface. Instead of the vulnerability being introduced by the operating system, it is introduced by the manufacturer that you bought your machine from,” he said. 

“More tech-savvy folk might take the initiative and remove the annoying software that came with their machine, but will an average consumer? Pre-installed bloatware is the most interesting, because it provides a new attack surface impacting a significant number of users who leave the software on their machines.”

Six of the flaws have been fixed since they were initially reported in October 2019, although three remain unpatched. These unresolved flaws can allow malware to compromise a device by handing any attacker elevated access privileges. The RCE and file deletion bugs were fixed in previous updates.

After the issues were first reported, HP released an update in December which claimed to have “resolved the issues reported”, although Demirkapi soon identified several issues that were yet unresolved. He then filed a second report with the company. 

The manufacturer scheduled a further fix in February, set to be released in early March, although this was delayed to 21 March due to COVID-19. This second update was issued on time but failed to fix three outstanding issues.

Given a handful of the bugs remain unresolved, Demirkapi has recommended that uninstalling the software is “the best mitigation” to protect against the attacks described, as well as any future vulnerabilities that may arise.

The next best method of protecting devices is by updating the agent to the latest available version, which will mean some of the issues are fixed, although not all at the time of writing. 

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Laser printers vs Inkjet
Hardware

Laser printers vs Inkjet

2 Aug 2022
What is zero trust?
network security

What is zero trust?

14 Jul 2022
Retbleed hardware-level flaw brings overhead woe to Intel and AMD
Hardware

Retbleed hardware-level flaw brings overhead woe to Intel and AMD

13 Jul 2022
An analysis of the European cyber threat landscape
Whitepaper

An analysis of the European cyber threat landscape

8 Jul 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022