A security researcher found 10 vulnerabilities in the HP
Support Assistant application shipped with every laptop the company makes, from
the officially dead Windows 7 up to the latest version of Windows 10.
Many companies pre-install software on their laptops and
computers with the simple goal of providing support for fixes and automatic
updates. While the purpose of the application is clear, its forced integration
raises some issues, and it turns out many of them are security-related.
Applications installed by default on hardware are usually
identified as bloatware, and it’s especially annoying when you can’t get rid of
them. Coupled with the fact that such apps can prove to be a security risk,
users often find them a useless component, even if they were implemented with
Bill Demirkapi, an 18-year-old security researcher,
looked more closely at the HP Support Assistant application, installed by
default on HP computers and laptops since 2012. The researcher already
discovered a number of problems with similar software from other companies,
such as Dell and Lenovo.
The flaws in the HP Support Assistant can lead to local
privilege escalation and arbitrary file deletion, as well as remote code
execution. As you can imagine, each carries its own problems. Demirkapi
developed proofs of concept for each vulnerability. For example, he was able to
trick the software into downloading a zip file from a source other than the
“HP had their initial patch finished three months after I sent them the report of my findings. When I first heard they were aiming to patch 10 vulnerabilities in such a reasonable time-frame, I was impressed because it appeared like they were being a responsible organization who took security vulnerabilities seriously,” said Demirkapi.
But it turns out that the new patch introduces a new
vulnerability, allowing for new local escalation privilege escalation exploits.
As it stands, the software still harbors three vulnerabilities, and HP has yet
to issue a new patch.
Users have a couple of options. One would be to remove
the software entirely, but if that’s not possible, they should consider
upgrading the app to the latest version as soon as possible.