Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Display Software Flaw Affects Millions of Devices

A potentially serious vulnerability has been found in third-party software shipped by several major vendors for their displays. The developer has rushed to release a patch for the flaw, which is believed to affect millions of devices worldwide.

A potentially serious vulnerability has been found in third-party software shipped by several major vendors for their displays. The developer has rushed to release a patch for the flaw, which is believed to affect millions of devices worldwide.

The security hole was identified by researchers at SEC Consult in display software developed by Portrait Displays. The impacted product allows users to configure their displays (e.g. rotation, alignment, colors and brightness) via a software application instead of hardware buttons.

Portrait Displays’ products are used by several major vendors, including Sony, HP, Acer, Fujitsu, Philips, Dell, Benq, Lenovo, Sharp and Toshiba. However, SEC Consult could only confirm the vulnerability for Fujitsu’s DisplayView, HP’s Display Assistant and My Display, and Philips’ SmartControl applications. The apps, which are pre-installed on millions of devices, have been classified by the security firm as bloatware.

According to researchers, the vulnerability, tracked as CVE-2017-3210, exists in the Portrait Displays SDK service and it allows any authenticated attacker to execute arbitrary commands and escalate their privileges to SYSTEM.

SEC Consult said a hacker can exploit the flaw — by changing the service’s binary path — for various tasks, including to create new users, add users to groups, or change privileges.

Portrait Displays, which has classified the vulnerability as critical, has released a patch and advised users to install it immediately. The company says it’s not aware of any attacks where this flaw may have been exploited, but a “comprehensive review” is being conducted to confirm this.

As an alternative, users can address the problem by removing the vulnerable service’s permissions via the “sc” command in Windows. CERT/CC has also released an advisory for this security hole.

While a patch has been made available, SEC Consult told SecurityWeek that it’s unlikely regular users will install it any time soon, especially since many will not even know they are affected. On the other hand, experts believe affected vendors could push the patch to users via their automatic software installers (e.g. Fujitsu DeskUpdate).

Advertisement. Scroll to continue reading.

“It is quite juicy to observe that companies selling millions of notebooks, PCs and convertibles simply do not care (enough) about security,” SEC Consult’s Werner Schober said in a blog post. “The affected companies do have a net worth of multiple billions, but they do not have a few thousand euros/dollars/yen to conduct a proper security review on the software and services they are acquiring from 3rd parties. This vulnerability would have been identified immediately in a thorough security review of the application/service if an audit would have been conducted by security experts before shipping devices with this software. Even automated vulnerability scans would detect such weak service permissions.”

Related: Attackers Can Target Enterprises via GroupWise Collaboration Tool

Related: Backdoor Found in Many Sony Security Cameras

Related: Critical Flaws Found in Enterprise File Sharing Tool Filr

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.