A security expert has found multiple flaws in HP Support Assistant, a feature that has been pre-installed on all HP computers sold after October 2012.
Preloaded to computers operating Windows 7, Windows 8 and Windows 10, 10 vulnerabilities affected the device, including five local privilege escalation flaws, two arbitrary file deletion bugs, and three remote code execution bugs.
Once launched, it continues to host a “service interface” which introduces the user to more than 250 different functions. The contract interface is revealed to the local network and customers connect to it through a specific cable, explains security researcher Bill Demirkapi.
To verify client connections with the device a series of checks are carried out to allow the client to access those protected methods finally. The HP Support Assistant is unsafe by nature, the researcher says, while mitigation is in place.
“This is because core components, such as the HP Web Product Detection rely on access to the service and run in an unprivileged context. The fact is, the current way the HP Service is designed, the service must be able to receive messages from unprivileged processes. There will always be a way to talk to the service as long as unprivileged processes are able to talk to the service,” the researcher notes.
The researcher found that an attacker could break the security, for an example, place his malicious binary on some system partition folders and executed with system privileges by HP signed operation, run a downloaded file even if a signature verification failed. An attacker can start an executable with the decryption claim to write malicious payloads anywhere.
Also, the investigator found that in the sense of HP’s privileged operation, an attacker can employ two simple methods to remove any file on the computer.
Also, Demirkapi noticed that the binary “HP Download and Install Assistant” could be used to execute remote code. For that purpose, an attacker can trick the victim into visiting a malicious website, trick the software into downloading a DLL, or get digital certificates for fake companies containing “HP” or “Hewlett Packard.”
The researcher revealed all HP vulnerabilities professionally, and the company has rolled out patches, but it seems that all reported problems have not been resolved. The researchers claim that the initial fixes for the identified vulnerabilities introduced new flaws. In late March, the machine manufacturer received new updates.
According to Demirkapi, by eliminating it from their computers absolutely, users can reduce the security risks raised by HP.
“This may not be an option for everyone, especially if you rely on the updating functionality the software provides, however, removing the software ensures that you’re safe from any other vulnerabilities that may exist in the application,” the researcher says.
System upgrades to the latest version are also an option, but this still means that three local privilege vulnerabilities remain unpatched, concludes Demirkapi.