Have A Dell PC? You Might Want To Secure Yourself Against This Vulnerability
Sometimes a big security flaw crops up in the software that ships with new computers, and that’s the situation Dell finds itself in. More importantly, so do its users after it came to light that a version of Dell’s SupportAssist software has been vulnerable since at least October of last year.
The app normally claims to be “the industry’s first automated proactive and predictive support technology,” but right now, its claim to fame is being a security hole that’s installed on “most of all new Dell devices running Windows.” According to 17-year-old security researcher Bill Demirkapi, it’s been a security issue for at least six months. There’s good news in that it was only an issue if someone on a local network was able to try and take advantage of it, but that’s cold comfort for those with machines that are at risk.
Right now, there are a couple of different options that owners of Dell computers running the SupportAssist software can take. The first is to fully uninstall it, which we might be tempted to do given how much we doubt its purpose, and the other is to update to SupportAssist v188.8.131.52 or later. Dell has a support page available with details on the vulnerability, as well as a link to the updated version of SupportAssist, for those who want it.
Dell SupportAssist Client versions prior to 184.108.40.206 contain an improper origin validation vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSRF attacks on users of the impacted systems.
Dell SupportAssist Client versions prior to 220.127.116.11 contain a remote code execution vulnerability. An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites.
This isn’t the first time that an OEM has shipped software on new computers that then turned out to be a gaping security hole, and unfortunately, we doubt it will be the last.