Numerous bugs have been found in HP Support Assistant that poses a threat to Windows PCs. Since the software comes preinstalled in most recent HP systems, the bugs threaten a huge number of devices globally.
HP Support Assistant Bugs
Security researcher Bill Demirkapi has found multiple security vulnerabilities in the HP Support Assistant tool. These HP Support Assistant bugs threaten most Windows PCs since 2012 where the tool comes preinstalled in the HP devices. This applies to Windows 7, Windows 8, and Windows 10 systems alike.
Briefly, the researcher discovered 10 different vulnerabilities in the utility. These include 5 local privilege escalation flaws, 2 arbitrary file deletion vulnerabilities, and 3 remote code execution vulnerabilities.
Upon finding the vulnerabilities, the researcher reached out to HP after which, the vendors assured they will work on fixes. Nonetheless, HP failed to address all the bugs, especially the local privilege escalation bugs.
Specifically, out of the 10, HP released fixes for the three remote code execution and two arbitrary file deletion bugs. However, from the 5 local privilege escalation flaws, they patched only 1 and issued a partial fix for another. Whereas, three of these still remain unpatched even in the latest version. It means these three bugs (at least) still threaten thousands of Windows machines.
More details regarding these vulnerabilities are available in the researcher’s detailed write-up.
Possible Mitigations
For now, HP is yet to fix the unpatched vulnerabilities. Whereas, the latest version of HP Support Assistant bears the fixes for the remaining seven bugs. Yet, since the tool does not update automatically unless the users explicitly choose for it, HP users must make sure they update their devices immediately (if they haven’t yet) to (at least) avoid exploitation of a majority of bugs. The recent version presently is Version 9.6.587.0 / 8.8.24.33.
Nonetheless, for thorough mitigation of all vulnerabilities, the researcher recommends getting rid of the tool altogether. Users can do so by uninstalling the “HP Support Assistant” and “HP Support Solutions Framework” from their Windows devices.