Security Experts:

Connect with us

Hi, what are you looking for?



Pre-Installed Utility Renders HP Computers Vulnerable to Attacks

A security researcher discovered multiple vulnerabilities in HP Support Assistant, a utility pre-installed on all HP computers sold after October 2012.

A security researcher discovered multiple vulnerabilities in HP Support Assistant, a utility pre-installed on all HP computers sold after October 2012.

Pre-loaded on computers running Windows 7, Windows 8, and Windows 10, the tool was found to be impacted by ten vulnerabilities, including five local privilege escalation flaws, two arbitrary file deletion bugs, and three remote code execution bugs.

When launched, the utility starts hosting a “service interface” that exposes over 250 different functions to the client. The contract interface is exposed to the local system and clients connect to it through a specific pipe, security researcher Bill Demirkapi explains.

A series of checks are performed to validate client connections to the interface, so as to finally allow the client to call certain protected methods. While there are mitigations in place, HP Support Assistant is insecure by design, the researcher says.

“This is because core components, such as the HP Web Product Detection rely on access to the service and run in an unprivileged context. The fact is, the current way the HP Service is designed, the service must be able to receive messages from unprivileged processes. There will always be a way to talk to the service as long as unprivileged processes are able to talk to the service,” the researcher notes.

The researcher discovered that an attacker could, for example, place their own malicious binary in specific folders on the system partition and have it executed by HP’s signed process with system privileges, that a downloaded file would be executed even if a signature verification failed, and that an attacker could start an executable with the decrypt argument to write malicious payloads anywhere on the system.

Moreover, the researcher discovered that an attacker could employ two simple methods to delete any file on the machine, in the context of HP’s privileged process.

Furthermore, Demirkapi found that the “HP Download and Install Assistant” binary could be abused to achieve remote code execution. For that, an attacker would have to trick the victim into visiting a malicious site, trick the program into downloading a DLL, or to get digital certificates for fake companies that contain “HP” or “Hewlett Packard” in their names.

The researcher disclosed all vulnerabilities to HP in a responsible manner, and the company rolled out patches, but it seems that it failed to address all of the identified issues. In fact, the initial patches that were rolled out for the reported vulnerabilities introduced new flaws, the researcher says. The computer maker delivered new fixes in late March.

According to Demirkapi, users can mitigate the security risks posed by HP’s utility by completely removing it from their computers.

“This may not be an option for everyone, especially if you rely on the updating functionality the software provides, however, removing the software ensures that you’re safe from any other vulnerabilities that may exist in the application,” the researcher says.

Updating the application to the latest version is also an option, but it still means that three local escalation of privilege flaws remain unpatched, Demirkapi concludes.

Related: Flaw in HP Touchpoint Analytics Could Impact Many PCs

Related: Millions of Devices Exposed to Attacks Due to Flaw in PC-Doctor Software

Related: Dell Patches Vulnerability in Pre-installed SupportAssist Utility

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.