Dell's SupportAssist app had serious security flaws, reveals 17-year-old

By Vignesh Giridharan | Updated 5 May 2019
Dell's SupportAssist app had serious security flaws, reveals 17-year-old
  • Dell SupportAssist Client harboured serious vulnerabilities for a long time.
  • They were discovered by a 17-year-old American security researcher.
  • Dell issued a fix for them recently.

Dell's SupportAssist, an inbuilt tool designed to install the right drivers and perform health checks on Dell PCs, had been harbouring a couple of security vulnerabilities since at least September last year. The discovery of the two high-severity vulnerabilities was made by Bill Demirkapi, a 17-year-old security researcher from Boston, Massachusetts when he decided to replace his aging MacBook Pro with a Dell G3 15.

advertisements

Named Remote Code Execution Vulnerability (CVE-2019-3719), the first vulnerability allows an unauthenticated attacker to share the network access layer with the vulnerable system and let the attacker compromise the system by tricking a victim into downloading and executing arbitrary executables using SupportAssist from attacker hosted sites. The second vulnerability, called Improper Origin Validation (CVE-2019-3718), allows an authenticated attacker to exploit the vulnerability to attempt one-click attacks on users of affected PCs.

Demirkapi, who recounts his discovery in a blog post, apparently wrote to Dell about the vulnerabilities back in late October. Soon, Dell acknowledged the existence of the vulnerabilities and promised to roll out a fix in the first quarter of 2019. In late April, Dell released an advisory on the matter. According to Dell, SupportAssist Client version 3.2.0.90 (and later) contains resolutions to the reported vulnerabilities. What does this mean for you? If you own a Dell PC, you should update SupportAssist to this version or later as soon as possible.

A couple of months ago, WinRAR patched a 19-year-old security vulnerability in the archival tool's code after security researchers outlined its potential risks in a public blog post. The vulnerability allowed attackers to extract malicious software anywhere on the PC's hard drive. A little before that, an Indian security researcher found a security vulnerability in the Microsoft Store app on Windows 10 that could potentially affect over 400 million users.

advertisements
advertisements
Vignesh Giridharan
Progressively identifies more with the term ‘legacy device’ as time marches on.
advertisements
ASK DIGIT

Recent Questions

Security app
Baranidharan Nagarajan
Aug 30, 2014
Responses
Comments
Be the first one to post the comment
Post a New Comment
You must be signed in to post a comment
advertisements