HP's most annoying bloatware has a serious security flaw

security
(Image credit: Shutterstock / Song_about_summer)

HP has issued a warning of a vulnerability in its much-unloved Support Assistant tool.

The flaw in the service, which comes pre-installed on all HP laptops and desktops, was discovered by Secure D researchers, who noted it to be especially worrying with a “high” severity score of 8.2. 

The experts say that cyber-attackers could make use of an infected HP Support Assistant tool to elevate their privileges on vulnerable systems, gaining access without permission.

HP Support Assistant vulnerability

An advisory notice issued by HP says that the DLL hijacking flaw is triggered when users launch HP Performance Tune-up from within HP Support Assistant - an app that is designed to help computer users troubleshoot problems and perform diagnostic tests, and to check for BIOS and driver updates, among other features.

The DLL vulnerability, dubbed CVE-2022-38395, involves threat actors injecting malicious code into the HP Support Assistant, which then exploits Windows’ logic to prioritize those libraries against DLLs in the System32 directory.

In an effort to iron out the vulnerabilities that have been spotted, HP is urging its customers to update the Support Assistant app immediately. A security update for version 9.x has been launched on the Microsoft Store, however users on versions 8.x will not get a security patch. Instead, they too are being urged to update to the latest version of 9.x, which can be accessed through the ‘Check for updates’ button in the ‘About’ section.

BleepingComputer highlights that this isn’t the first time that HP’s Support Assistant app has suffered from vulnerabilities. In fact, we reported that ten flaws were found in October 2019, some of which were unpatched for more than a year after they were initially discovered.

While keeping software up-to-date is one way of staying on top of security patches, more software will inevitably lead to more potential vulnerabilities. With that in mind, removing unnecessary or unwanted software provides a solution that, at the same time, frees up disk space and processing power on your machine.

Via BleepingComputer 

TOPICS
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Read more
Digital image of a lock.
Ivanti warns it has found another major security flaw in its systems
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
The best free firewall
Sophos hotfixes remote code execution vulnerabilities in Firewall
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
vpn
Ivanti warns another critical security flaw is being attacked
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
Latest in Security
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Security
Broadcom releases fixes for multiple VMware security flaws
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Latest in News
The Samsung Galaxy Ring in Titanium Silver
A future Samsung Galaxy Ring could have a feature to stop you burning yourself on your morning coffee
The maps feature of the Strava app open on an iPhone 15 Pro
Strava does a u-turn as users are allowed to post external links again
CorelDraw Go homepage showing design examples
Adobe arch-rival unveils online graphic design tool for beginners - and yes, it has a subscription
Android Auto
Android Auto is about to get a big Gemini upgrade – and there's good news and bad news
Tony Hawk's Pro Skater 3+4 promo image featuring the Doom Slayer glaring at Tony
Tony Hawk's Pro Skater 3+4 is real and the Digital Deluxe Edition literally turns it into a Doom game
Ada Lovelace as a leader in Civilization 7.
Sid Meier's Civilization 7 update 1.1.0 finally stops AI leaders from flooding your territory with armies of explorers