Dell’s SupportAssist app had serious security flaws, reveals 17-year-old

Dell’s SupportAssist app had serious security flaws, reveals 17-year-old
HIGHLIGHTS

Dell SupportAssist Client harboured serious vulnerabilities for a long time.

They were discovered by a 17-year-old American security researcher.

Dell issued a fix for them recently.

Dell's SupportAssist, an inbuilt tool designed to install the right drivers and perform health checks on Dell PCs, had been harbouring a couple of security vulnerabilities since at least September last year. The discovery of the two high-severity vulnerabilities was made by Bill Demirkapi, a 17-year-old security researcher from Boston, Massachusetts when he decided to replace his aging MacBook Pro with a Dell G3 15.

Named Remote Code Execution Vulnerability (CVE-2019-3719), the first vulnerability allows an unauthenticated attacker to share the network access layer with the vulnerable system and let the attacker compromise the system by tricking a victim into downloading and executing arbitrary executables using SupportAssist from attacker hosted sites. The second vulnerability, called Improper Origin Validation (CVE-2019-3718), allows an authenticated attacker to exploit the vulnerability to attempt one-click attacks on users of affected PCs.

Demirkapi, who recounts his discovery in a blog post, apparently wrote to Dell about the vulnerabilities back in late October. Soon, Dell acknowledged the existence of the vulnerabilities and promised to roll out a fix in the first quarter of 2019. In late April, Dell released an advisory on the matter. According to Dell, SupportAssist Client version 3.2.0.90 (and later) contains resolutions to the reported vulnerabilities. What does this mean for you? If you own a Dell PC, you should update SupportAssist to this version or later as soon as possible.

A couple of months ago, WinRAR patched a 19-year-old security vulnerability in the archival tool's code after security researchers outlined its potential risks in a public blog post. The vulnerability allowed attackers to extract malicious software anywhere on the PC's hard drive. A little before that, an Indian security researcher found a security vulnerability in the Microsoft Store app on Windows 10 that could potentially affect over 400 million users.

Vignesh Giridharan

Vignesh Giridharan

Progressively identifies more with the term ‘legacy device’ as time marches on. View Full Profile

Digit.in
Logo
Digit.in
Logo