HP computer owners beware: HP Support Assistant flaws remain unpatched

The pre-installed HP Support Assistant software on Windows computers is riddled with vulnerabilities

An independent security researcher Bill Demirkapi has uncovered several critical vulnerabilities in HP Support Assistant software.^[1] According to his research, upon successful exploitation, malicious actors could perform remote code execution, escalate privileges locally, and delete arbitrary files.

HP Support Assistant is a pre-installed application that users who purchased an HP laptop or a PC after October 2012 would see on their machines. According to the manufacturer, the app can help to access “support resources,”^[2] such as automated fixes and troubleshooters, which makes it great for self-help. However, pre-installed apps have a different side – they not only bloat the computer with useless functionality but can also serve as an additional attack vector for cybercriminals. Due to this, thousands of users could be exposed to potential threats – and HP owners now should be aware of multiple flaws that were discovered in the HP Support Assistant.

Some security flaws remain unpatched

According to Demirkapi, the initial discovery of three remote code flaws, two arbitrary file deletion vulnerabilities, and five local privilege escalation flaws occurred in October 2019. In December same year, HP released several updates to patch these flaws, although, as it turned out, this did not fix things, and systems running HP Support Assistant remained vulnerable.

In January 2020, Bill Demirkapi sent an updated version of the bug report, which was followed up with another patch from HP in March 2020 (it included more insights about remaining flaws and the newly-discovered ones). Unfortunately, HP failed to fix everything, as privilege escalation bugs remain, rendering users vulnerable to attacks.

While privilege escalation flaws are not as dangerous as remote code execution ones, they can aid threat actors at the later attack stages, allowing them to gain elevated permissions on the compromised machine and increase malware's persistence. Such vulnerably can be used to disable anti-malware software, later implanting malware without problems.

Protect yourself from hacks: remove or update HP software immediately

Demirkapi is an independent researcher from Rochester Institute of Technology and, for the past year, has been analyzing bloatware^[3] of various computing manufacturers, such as Dell^[4] and Lenovo. He claims that the pre-installed applications are less than secure:

Some of the vulnerabilities I have published include the Remote Code Execution and the Local Privilege Escalation vulnerability I found in Dell’s own pre-installed bloatware. More often then not, I have found that this class of software has little-to-no security oversight, leading to poor code quality and a significant amount of security issues.

Because bloatware apps come pre-installed, most regular users are not even aware of or do not care for, their existence. Due to issues described by the researcher, a software flaw inside HP Support Assistant could render millions of users vulnerable to attacks. Even if HP patches these flaws, users need to apply them manually, as automatic updates are only available on the opt-in basis, which not all users choose.

There are two ways to bypass the vulnerabilities impacting the software: either updating it or removing both HP Support Assistant and HP Support Solutions Framework from a computer. To apply an update, users should visit official website or open perform the following steps within the app:

• Click on the Start menu
• Select “About”
• Click on “Check for latest version”

To uninstall these applications, users should visit Control Panel and select Programs, then click on Programs and features; from the list, right-click on HP Support Assistant, and select Uninstall.

HP and Dell are not the only companies guilty of running compromised pre-installed software on machines. Back in 2014-2015, Lenovo sold laptops with Superfish adware that rendered users vulnerable to cyberattacks. As a result, the scandal cost the company $7.3 million, which also involved compensations to the affected users.^[5]