Software pre-installed on all of HP's Windows devices has a number of major security flaws that could lead to critical attacks if successfully exploited.
HP Support Assistant, which monitors device health and automates driver updates, contained ten different serious vulnerabilities, including two arbitrary file deletion bugs, five local privilege escalation flaws, and three remote code execution (RCE) vulnerabilities.
Support Assistant is an example of pre-loaded software that ships with Windows devices running Windows 10 as well as legacy systems Windows 8 and Windows 7. Other prominent manufacturers, including Dell and Lenovo, ship devices with similar health-check software, which many regard as ‘bloatware’.
HP’s iteration allows users check the web for the latest software and driver updates, offers diagnostic tools that can fix hardware and software issues, and offers health alerts service when components may fail.
These applications, however, may not have the same level of oversight as other types of software, according to independent security researcher Bill Demirkapi, and may lead to security gaps forming.
“I always have considered bloatware a unique attack surface. Instead of the vulnerability being introduced by the operating system, it is introduced by the manufacturer that you bought your machine from,” he said.
“More tech-savvy folk might take the initiative and remove the annoying software that came with their machine, but will an average consumer? Pre-installed bloatware is the most interesting, because it provides a new attack surface impacting a significant number of users who leave the software on their machines.”
Six of the flaws have been fixed since they were initially reported in October 2019, although three remain unpatched. These unresolved flaws can allow malware to compromise a device by handing any attacker elevated access privileges. The RCE and file deletion bugs were fixed in previous updates.
After the issues were first reported, HP released an update in December which claimed to have “resolved the issues reported”, although Demirkapi soon identified several issues that were yet unresolved. He then filed a second report with the company.
The manufacturer scheduled a further fix in February, set to be released in early March, although this was delayed to 21 March due to COVID-19. This second update was issued on time but failed to fix three outstanding issues.
Given a handful of the bugs remain unresolved, Demirkapi has recommended that uninstalling the software is “the best mitigation” to protect against the attacks described, as well as any future vulnerabilities that may arise.
The next best method of protecting devices is by updating the agent to the latest available version, which will mean some of the issues are fixed, although not all at the time of writing.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malwareNews Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
