A security researcher found 10 vulnerabilities in the HP Support Assistant application shipped with every laptop the company makes, from the officially dead Windows 7 up to the latest version of Windows 10.
Many companies pre-install software on their laptops and computers with the simple goal of providing support for fixes and automatic updates. While the purpose of the application is clear, its forced integration raises some issues, and it turns out many of them are security-related.
Applications installed by default on hardware are usually identified as bloatware, and it’s especially annoying when you can’t get rid of them. Coupled with the fact that such apps can prove to be a security risk, users often find them a useless component, even if they were implemented with good intentions.
Bill Demirkapi, an 18-year-old security researcher, looked more closely at the HP Support Assistant application, installed by default on HP computers and laptops since 2012. The researcher already discovered a number of problems with similar software from other companies, such as Dell and Lenovo.
The flaws in the HP Support Assistant can lead to local privilege escalation and arbitrary file deletion, as well as remote code execution. As you can imagine, each carries its own problems. Demirkapi developed proofs of concept for each vulnerability. For example, he was able to trick the software into downloading a zip file from a source other than the official one.
“HP had their initial patch finished three months after I sent them the report of my findings. When I first heard they were aiming to patch 10 vulnerabilities in such a reasonable time-frame, I was impressed because it appeared like they were being a responsible organization who took security vulnerabilities seriously,” said Demirkapi.
But it turns out that the new patch introduces a new vulnerability, allowing for new local escalation privilege escalation exploits. As it stands, the software still harbors three vulnerabilities, and HP has yet to issue a new patch.
Users have a couple of options. One would be to remove the software entirely, but if that’s not possible, they should consider upgrading the app to the latest version as soon as possible.