[German]Users of HP computers should respond. The HP Support Assistant installed on many machines running Windows has security vulnerabilities that are not closed by auto-update. Whether the HP patch released at the beginning of April 2020 closes all vulnerabilities is currently unkown.
What is the HP Support Assistant?
In order to keep HP computers functional, the manufacturer has been installing the HP Support Assistant software by default since October 2012 on its systems with Windows 7, Windows 8.1 and Windows 10. The idea is that HP Support Assistant should search for software updates (drivers etc.) and keep them up to date.
(HP Support Assistant, Source: HP)
The idea is not a bad one, the software comes with a user interface that I use to manage the updates. So the user can control the updates and feels safe. For me, however, such an approach causes anxiety, as these ‘assistants’ have been conspicuous for years as a kind of ‘snake oil’. It’s all very well, but it doesn’t work, and there are security holes that put device owners at risk. Asus device owners have sometimes brought malware onto their systems (see links at the end of the article).
Vulnerability in HP Support Assistant
Security researcher Bill Demirkapi has noticed last year that HP Support Assistant has security vulnerabilities. He made this fact public last week in the following tweet.
Several Critical Vulnerabilities on most HP machines running Windows, https://t.co/0hrP6YXT74
— Bill Demirkapi (@BillDemirkapi) April 3, 2020
I’ll bring it up in this blog post, as there are many users of HP devices with Windows where the software is still installed.
HP Support Assistant brings a whole host of vulnerabilities to the Windows system, from file deletion capabilities to privilege escalation vulnerabilities and remote code execution vulnerabilities. Bill Demirkapi describes the details of these very serious vulnerabilities in great detail in his blog post here.
HP can’t fix it right
Demirkapi has, according to his own statements, informed HP in May 2019 about the vulnerabilities. It then took the manufacturer until December 2019 to provide a first security update to close the vulnerabilities. In March 2020, another update of the software was then submitted.
When Demirkapi took a closer look at the new versions, it became apparent that not all vulnerabilities were closed. One update even made things worse by introducing an additional vulnerability.
Uninstalling the HP Support Assistant recommended
According to Demirkapi (as of April 3, 2020, when the post was posted on GitHub), four vulnerabilities in HP Support Assistant are still unfixed. HP published this Security Bulletin for HP Support Assistant on April 2, 2020. It states that a new update should fix potential vulnerabilities in the areas of privilege escalation and arbitrary file deletion. The vulnerabilities have been reported by Bill Demirkapi, Hou JingYi (@hjy79425575) of Qihoo 360 CERT, Nichlas Holm Jørgensen of the Danish Cyber Defence.
Whether HP has fixed all the vulnerabilities reported by Bill Demirkapi with this update is currently not clear. Another problem: HP claims that the software updates itself automatically. According to Demirkapi, the automatic update function in the HP Support Assistant is deactivated by default and must be explicitly enabled by the user.
Given this situation, Demirkapi recommends uninstalling the HP Support Assistant for security reasons. Bleeping Computer has published also an article about that topic.
Serious vulnerability in Dell’s PC Doctor Assistant
Critical Vulnerability in Dell SupportAssist (Feb. 2020)
ShadowHammer: ASUS Live Update infected with backdoor
Backdoor: ASUS has been warned about risks since months
Vulnerability in Windows 10 Update Assistant
HP installs secretly HP Touchpoint Analytics Client telemetry client
Cookies helps to fund this blog: Cookie settings