Computing giant Dell released a security advisory on Thursday urging consumers to update their laptops and PCs to patch a security vulnerability the company says could have enabled hackers to access sensitive information.
The vulnerability, CVE-2019-12280, was identified in Dell’s SupportAssist application for business (version 2.0) and home PCs (version 3.2.1 and prior).
The issue in SupportAssist could have allowed outsiders to take over a machine and read the stored physical memory, according to cybersecurity firm SafeBreach, which discovered and reported the vulnerability.
Since the troubleshooting program runs with system-level privileges, the researchers demonstrated it’s possible to load insecure code libraries (dynamic link libraries or DLLs for short) from user-controlled folders specified via the PATH environment variable.
DLL files are loaded by programs — like SupportAssist — when they start up, but attackers can exploit this by corrupting existing DLLs or substituting them with malicious DLL files — which then inject code into programs that use those DLLs.
This vulnerability, caused by privilege escalation, would thus easily allow a hacker to gain control of a targeted system.
SafeBreach did not detail if hackers had already exploited the flaw, but it would’ve been an alluring target given the software comes pre-installed on millions of Dell laptops and PCs.
“This means that as long as the software is not patched, the vulnerability affects millions of Dell PC users,” wrote security researcher Peleg Hadar.
SupportAssist is a software repair tool that proactively monitors the system for hardware and software issues, alerting customers to take appropriate action to resolve them.
Troublingly, Dell is not the only company that’s shipping PCs with the vulnerable software.
As it happens, Dell ships SupportAssist with a third-party component known as PC-Doctor Toolbox. The software is written and maintained by PC-Doctor, a Nevada-based diagnostics and customer support firm that offers specialized troubleshooting products to other electronic device makers.
“Leading computer makers have pre-installed over 100 million copies of PC-Doctor for Windows on computer systems worldwide,” states the website, meaning the vulnerability also affects other original equipment manufacturers that rely on PC-Doctor.
Dell, which confirmed the vulnerability early May, sent the issue to PC-Doctor. The company went on to implement the fix made by PC-Doctor and released updates on May 28, 2019 for the affected SupportAssist versions.
“We follow industry best practices to disclose vulnerabilities in a responsible and coordinated fashion. Since the vulnerable component was with PC-Doctor, we coordinated with PC-Doctor so they could responsibly and fairly alert their other customers to give them a chance to implement the fix as well before we publicly disclosed our fix,” said a Dell spokesperson via email.
This is not the first time SupportAssist has been under the scanner for security issues. Back in April, Dell patched a separate vulnerability in the utility that would have exposed Dell laptops and personal computers to a remote attack, allowing hackers to hijack a computer if the two machines shared a local internet connection.
Update on June 24, 9:30 AM IST: Dell confirmed to us that they have seen no evidence of exploitation —
We have seen no indication or evidence of exploitation. More than 90% of customers have already upgraded to the updated versions and are no longer at risk for this vulnerability. SupportAssist updates automatically if automatic updates are enabled. Most customers have automatic updates turned on.
The story has been updated to include the latest statement from Dell.