Every Dell endpoint running Microsoft Windows has a nasty remote-code execution vulnerability. The security hole is in the SupportAssist module.
Amazingly, Dell figured it would be great to allow a web page to take full control of a PC—admin privileges and all. Bypassing the tool’s minimal checks turns out to be trivial.
To top it off, it took Dell six months to fix this vulnerability. In today’s SB Blogwatch, we rush to install the patch.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 1dashlastkeep.
What’s the craic? Catalin Cimpanu casts, “Dell laptops and computers vulnerable”:
A vulnerability … exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges … and take over users’ systems. … The number of impacted users is believed to be very high, as the SupportAssist tool is one of the apps that Dell will pre-install on all Dell laptops and computers … running Windows OS.
Dell … has worked for the past months to patch CVE-2019-3719, a task that concluded last week with the release of SupportAssist v22.214.171.124, which Dell users are now advised to install.
No **** Sherlock? Roland Moore-Colyer asks, “But who patches the patcher that patches the patcher?”:
The job of SupportAssist is to automatically detect and install drivers. … Folks who’ve stopped automatic updates on their Dell machines or organisations handling updates in-house should make sure the patch is applied.
Who is this mysterious 17-year-old researcher? Oh, it’s that Bill Demirkapi guy:
When we think of Remote Code Execution (RCE) vulnerabilities [one] attack vector to consider is “What third-party software came with my PC?” … Dell SupportAssist [is] meant to “proactively check the health of your system’s hardware and software,” and … is “preinstalled on most of all new Dell devices.”
Back in September … I decided to [install] an SSD. After upgrading and re-installing Windows, I had to install drivers. This is when things got interesting.
A program which automatically installs drivers for me. … It seemed risky. The agent wasn’t installed on my computer because it was a fresh Windows installation, but I decided to install it to investigate further. It was very suspicious that Dell claimed to be able to update my drivers through a website.
Exactly how does this sort of fail keep happening? cryptonector explainifies:
“Let’s differentiate our otherwise commodity hardware product! … I know, let’s add value with bundled software the customer can’t uninstall!”
Then the bundled software turns out to (inevitably) be useless vulnerable garbage. Inevitably because:
a) the customer doesn’t need it, [and]b) it’s engineered with all the effort that normally goes into adware for captive audiences (i.e., minimal), which means it will be vulnerable.
Here’s an idea:
“Let’s differentiate our otherwise commodity hardware product! … Let’s add NO bundled software.”
That would be fantastic.
Tinfoil hat ahoy? This Anonymous Coward calls back to earlier this week:
Why aren’t we spinning this into “Dell inserted back doors into computer equipment for years” the way we do when a security vulnerability is found in Huawei equipment? Is it possible that the government and media is working very hard at making foreign manufacturers of computer equipment seem dangerous and bad? Could it be that there is a lot of lying and false accusations?
Oh. It’s not a Chinese company. Nothing to see here.
lulz. AmiMoJo thinks that’s “missing the point”:
Huawei is run by an authoritarian government and all bugs are deliberate backdoors designed to steal Western trade secrets! Buying a Huawei is basically inviting the Chinese Communist Part into your business!
Oh wait, it’s Dell. … I guess we better ban US products too.
Did somebody say “Dell SupportAssist”? Poor old useerup wanted a trigger warning:
One year ago [SupportAssist] was using excessive CPU on my Dell. I tried to uninstall, but the uninstaller crashed.
I turned to dell.com and then Google. Turned out that thousands of people had the same problem, but no solution from Dell.
This is a sorry PoS application. In my experience, OEMs like Dell, HP create horrible software and drivers.
And an alliterative Alex Alderson adds an angle: [You’re fired—Ed.]
Dell reportedly sat silently on a critical … vulnerability for nearly 6 months, according to the security researcher that reported it to the company. If you have the software installed, then chances are that your laptop will be affected, and it will be open to attackers unless you [update]. Stop what you are doing and check. … If its version number is older than 126.96.36.199, then download the latest version immediately.
It is bad enough that it took a teenager to find a security exploit that seems to be by design, but Dell’s handling of the issue makes matters even worse. This will have affected millions of computers, yet it took the company almost six months to release a fix.
Poor show indeed, Dell.
Ouch. Meanwhile, driverdan drives home the point:
I would have publicly disclosed after 90 days. A single line of code would have closed the URL problem and could have been deployed the next day. Six months is ridiculous.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Southeast Asia Digital Library (public domain)