Millions of Windows Dell PCs need patching: Give-me-admin security gremlin found lurking in bundled support tool
Can't spell SupportAssist without 'ass' and 'u' – other makers may be hit, too
Updated Dell's troubleshooting software SupportAssist, bundled with the US tech titan's home and business computers, has a security flaw that can be exploited by malware and rogue logged-in users to gain administrator powers.
The Texan system slinger today issued an advisory warning that its PC repair tool suffers a privilege-escalation vulnerability, CVE-2019-12280, and needs patching. We're told Dell SupportAssist for Business PCs version 2.0.1 and Dell SupportAssist for Home PCs version 3.2.2 are the builds you need to fetch and install to kill off this high-severity hole.
Affected versions of the software include Dell SupportAssist for Business PCs version 2.0, and Dell SupportAssist for Home PCs version 3.2.1 and all prior releases.
The IT giant includes the Windows-based troubleshooting program with new desktops, notebooks, and tablets. Unfortunately, as eggheads at SafeBreach Labs discovered and privately reported, the software insecurely loads .dll files when run. Researcher Peleg Hadar told The Register SupportAssist, which runs with SYSTEM-level privileges, will automatically pull in unsigned code libraries from user-controlled folders. That means malware or dodgy users can leave their own .dll files in a path, wait for SupportAssist to blindly load them, and thus execute code within an admin context.
That would allow software nasties already on a computer, or a rogue logged-in insider, to gain complete control over a vulnerable box. It also means, say, browser exploits that can drop files arbitrarily in user-writable directories can potentially trigger a remote admin-level compromise. This .dll injection vulnerability is present on as many as 100 million Dell PCs, SafeBreach estimated.
You dirty DRAC: IT bods uncover Dell server firmware security slipREAD MORE
"We can assume that all Dell PCs that run the Windows operating system without changes from the manufacturer are vulnerable, as long as the user didn't update," said Hadar.
The most concerning part of this story is that Hadar believes Dell is not alone in shipping PCs with this particular flaw.
The reason for this is that the vulnerability lies in a third-party component of Dell's SupportAssist software that is produced and maintained by PC Doctor, a support and diagnostics app specialist: PC Doctor sells its software to PC makers that then integrate the code into their own products, such as SupportAssist in the case of Dell.
"Once we found and reported it to Dell, they reported it to PC Doctor," explained Hadar. "They said there are several OEMs that are affected by this."
Indeed, Dell's brief advisory, which contains instructions on how to patch, noted: "Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs require an update to the latest versions to address a security vulnerability within the PC Doctor component."
Unfortunately, SafeBreach did not hear from PC Doctor to confirm the extent of the fallout of this programming blunder, and El Reg was unable to get in touch with the developer by the time of publication.
Should the vulnerable software prove to have been distributed by other computer vendors, it is likely we will see several big names in the PC space issuing updates similar to Dell's, and PC Doctor will have some explaining to do to its partners and the general public. ®
Updated to add on Friday, June 21
A spokesperson for Dell has been in touch to say "more than 90 percent of customers have downloaded the update and are no longer at risk," and that the vulnerability was present in "several million" Dell computers. They also added that the fix for CVE-2019-12280 was quietly rolled out on May 28, though Dell only got round to publishing an advisory note this week.