HP Support Assistant flaws expose Windows PCs to hackers

(Image credit: Shutterstock)

Software pre-installed in all new HP laptops and computers have a number of major security flaws which could open up the device to hackers, experts have warned.

The HP Support Assistant software was found to have several unpatched vulnerabilities which could have let hackers access the system remotely, make changes in privileges or even execute arbitrary files.

Ten vulnerabilities, including three remote code execution vulnerabilities, five local privilege escalation flaws, two arbitrary file deletion vulnerabilities, were found and highlighted in October 2019. However, even after a couple of software updates, HP has not been able to patch three local privilege bugs, leaving users vulnerable to attack. 

HP Support Assistant is a DIY tool that is designed to assist users with regular firmware and driver updates for their devices including laptops, PCs, as well as HP printers.

Unpatched

The vulnerabilities let the malware elevate permissions, and, after a device is infiltrated, can mean the device is compromised even further.

According to Bill Demirkapi, the researcher who uncovered the threats, “It is important to note that because HP has not patched three local privilege escalation vulnerabilities, even if you have the latest version of the software, you are still vulnerable unless you completely remove the agent from your machine.”

Owing to the serious nature of these flaws and HP’s failure in fixing them even with their latest March update, users have been advised to delete both HP Support Assistant and HP Support Solutions Framework from their devices.

However, anyone who relies on both these update assistants should manually ensure that the latest versions of these applications are installed on the system.

Users can always install the latest app from HP’s website or can also turn on the built-in automatic updates. By default, automatic update is not turned on and the users are required to turn on the feature manually.

It is worth keeping in mind that even if you're using the latest HP Support Assistant software, you're still vulnerable to hacks, as HP has not fully patched the bugs.

Apart from HP, Demirkapi has also revealed vulnerabilities in similar apps on other Windows PC vendors, like Lenovo and Dell.

Via: BleepingComputer

TOPICS
Jitendra Soni

Jitendra has been working in the Internet Industry for the last 7 years now and has written about a wide range of topics including gadgets, smartphones, reviews, games, software, apps, deep tech, AI, and consumer electronics.  

Read more
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
A digital representation of blockchain.
Malicious npm packages use devious backdoors to target users
Latest in News
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Nintendo Switch 2
The Nintendo Switch 2 pre-order date has seemingly been confirmed by Best Buy Canada – here's when you'll be able to order yours