[German]Users of HP computers should respond. The HP Support Assistant installed on many machines running Windows has security vulnerabilities that are not closed by auto-update. Whether the HP patch released at the beginning of April 2020 closes all vulnerabilities is currently unkown.
Advertising
What is the HP Support Assistant?
In order to keep HP computers functional, the manufacturer has been installing the HP Support Assistant software by default since October 2012 on its systems with Windows 7, Windows 8.1 and Windows 10. The idea is that HP Support Assistant should search for software updates (drivers etc.) and keep them up to date.
(HP Support Assistant, Source: HP)
The idea is not a bad one, the software comes with a user interface that I use to manage the updates. So the user can control the updates and feels safe. For me, however, such an approach causes anxiety, as these 'assistants' have been conspicuous for years as a kind of 'snake oil'. It's all very well, but it doesn't work, and there are security holes that put device owners at risk. Asus device owners have sometimes brought malware onto their systems (see links at the end of the article).
Vulnerability in HP Support Assistant
Security researcher Bill Demirkapi has noticed last year that HP Support Assistant has security vulnerabilities. He made this fact public last week in the following tweet.
Several Critical Vulnerabilities on most HP machines running Windows, https://t.co/0hrP6YXT74
— Bill Demirkapi (@BillDemirkapi) April 3, 2020
Advertising
I'll bring it up in this blog post, as there are many users of HP devices with Windows where the software is still installed.
The vulnerabilities
HP Support Assistant brings a whole host of vulnerabilities to the Windows system, from file deletion capabilities to privilege escalation vulnerabilities and remote code execution vulnerabilities. Bill Demirkapi describes the details of these very serious vulnerabilities in great detail in his blog post here.
HP can't fix it right
Demirkapi has, according to his own statements, informed HP in May 2019 about the vulnerabilities. It then took the manufacturer until December 2019 to provide a first security update to close the vulnerabilities. In March 2020, another update of the software was then submitted.
When Demirkapi took a closer look at the new versions, it became apparent that not all vulnerabilities were closed. One update even made things worse by introducing an additional vulnerability.
Uninstalling the HP Support Assistant recommended
According to Demirkapi (as of April 3, 2020, when the post was posted on GitHub), four vulnerabilities in HP Support Assistant are still unfixed. HP published this Security Bulletin for HP Support Assistant on April 2, 2020. It states that a new update should fix potential vulnerabilities in the areas of privilege escalation and arbitrary file deletion. The vulnerabilities have been reported by Bill Demirkapi, Hou JingYi (@hjy79425575) of Qihoo 360 CERT, Nichlas Holm Jørgensen of the Danish Cyber Defence.
Whether HP has fixed all the vulnerabilities reported by Bill Demirkapi with this update is currently not clear. Another problem: HP claims that the software updates itself automatically. According to Demirkapi, the automatic update function in the HP Support Assistant is deactivated by default and must be explicitly enabled by the user.
Given this situation, Demirkapi recommends uninstalling the HP Support Assistant for security reasons. Bleeping Computer has published also an article about that topic.
Similar articles:
Serious vulnerability in Dell's PC Doctor Assistant
Critical Vulnerability in Dell SupportAssist (Feb. 2020)
ShadowHammer: ASUS Live Update infected with backdoor
Backdoor: ASUS has been warned about risks since months
Vulnerability in Windows 10 Update Assistant
HP installs secretly HP Touchpoint Analytics Client telemetry client
Advertising
Whether HP has fixed all the vulnerabilities reported by Bill Demirkapi with this update is currently not clear. Another problem: HP claims that the software updates itself automatically.
From my day to day work often HPSA versions report to be updated on manual check but are not and stuck on the version.
And need a manual download from the theme page + then a manual update as the public file is often outdated too.
I think most PC makers offer up a series of what they call value added software to help PC users fix and maintain their PC. Dell has also been riddled with issues with its own update utility. I agree that since Windows 10 will update drivers when it runs Windows update I think these update utilities from the PC maker are not needed. The more you have installed the more chance of something having been compromised. Your better off looking up any driver updates online and downloading and installing them manually.