It's vital, therefore, you check to ensure your software has been updated.
As already mentioned, the fixes already rolled out to the Support Assistant should be applied automatically, but that may not be the case for everyone. Personally, I wouldn't recommend uninstallation for the average user as the remaining risk of being exploited by an attacker is relatively low while having firmware updates, which include security fixes, will protect you from as yet unknown future exploits. To do this, you can use the Windows add or remove program functionality, but make sure you uninstall both the HP Support Assistant and the HP Support Solutions Framework if doing so. By uninstalling the software, you removed the risk of being exposed to any local privilege escalation exploit as a result of the yet to be patched vulnerabilities that Demirkapi is helping HP with right now. So, mitigating the risk here comes in two parts.įirst, there's the nuclear option, which is advised if you have never used the HP Support Assistant on your computer and have no intention of using it in the future. I asked Demirkapi how confident he is that a further fix will happen any time soon, following that HP statement? "An executive from HP has reached out to work out the remaining issues," Demirkapi confirmed, adding that "I am working closely with HP to fix the remaining issues as soon as possible." We are fully investigating any further vulnerabilities alleged by the researcher and will escalate any necessary mitigations. The security of our customers is always a top priority and we urge all customers to keep their systems up to date."
MORE FROM FORBES Windows 10 Users Warned As Hackers Target Newly Updated Computers By Davey Winder Mitigating the risk of attackĪn HP spokesperson gave me the following statement: "We were advised of potential vulnerabilities with some versions of HP Support Assistant and issued a security bulletin to address these here. "An attacker can use any of the unpatched vulnerabilities to escalate their privileges to administrator," Demirkapi says.
"Local privilege escalation vulnerabilities are used after an attacker gains access to your system," Demirkapi says, "making it far less likely to occur than, for example, a remote code execution vulnerability." This means the average user, Demirkapi says, "probably aren't at significant risk of having this vulnerability exploited against them." Where they would still be at risk while these vulnerabilities remain unpatched is in the case of an attacker who already has a presence on the computer but in a non-admin user role. I contacted Demirkapi to chat about his research and the three unpatched local privilege escalation vulnerabilities in particular.
Still, a patch was released on April 1 that the HP Product Security Response Team (PSRT) said fixes "potential escalation of privilege and arbitrary file deletion" with "certain versions of HP Support Assistant." This should automatically update HP Support Assistant software, but the software can also be updated manually by following the resolution instructions in the security bulletin published April 2.ĭemirkapi has an in-depth drill-down in his public disclosure, published April 3, which is worth a read if you want the technical minutiae.Īre you still at risk as an HP Support Assistant user? This was delayed because of the ongoing COVID-19 pandemic. However, he also noted that there were still unpatched vulnerabilities after this date and sent another report to HP on January 6, 2020, and another patch was scheduled for release in March. An update meant to fix the problems was pushed out by HP on December 19, Demirkapi said. In his vulnerability disclosure, Demirkapi said he first reported his findings to HP on October 5, 2019.