Critical vulnerabilities in HP Support Assistant could allow arbitrary code execution

The tool which comes preinstalled on all brand-new HP notebooks and desktops could allow an attacker to escalate local privilege on vulnerable Windows systems

Multiple security vulnerabilities currently exist in HP Support Assistant software, which could enable remote attackers to execute arbitrary code on a vulnerable machine running Windows operating system.

That's according to security researcher Bill Demirkapi who says he discovered ten vulnerabilities in HP Support Assistant software in October 2019, and reported them to PC maker, but the company failed to patch all the bugs in the tool.

The software, which is advertised by HP as a "free self-help tool", comes preinstalled on all brand-new HP notebooks and desktops. It was launched in 2012 to automatically manage the updates and repairs for PCs and printers manufactured by HP.

HP also allows users to install the programme on PCs from other manufacturers for easy access to support resources and tools for HP printers and PCs. Users can configure their options to install updates automatically or to be notified you their updates are available.

According to Demirkapi, the vulnerabilities reported to HP last year included three remote code execution (RCE) bugs, two file deletion bugs, and five local privilege escalation bugs.

After receiving initial disclosure report from Demirkapi, HP released a security update in December 2019 that fixed some of the reported flaws. In January 2020, Demirkapi sent an updated report to HP discussing all the flaws that were left unpatched by the company as well as a newly-discovered bug.

HP then released another security update in March 2020 but failed again to fix three local privilege escalation bugs in the tool.

"It is important to note that because HP has not patched three local privilege escalation vulnerabilities, even if you have the latest version of the software, you are still vulnerable unless you completely remove the agent from your machine," Demirkapi warned users in an online post.

To fully mitigate these vulnerabilities, Demirkapi recommends users to uninstall the vulnerable tool by removing both HP Support Assistant and HP Support Solutions Framework from their systems.

For users who still want to use the tool, the next best option is to update the agent to the latest version, which fixes all vulnerabilities except for three local privilege escalation vulnerabilities.