Dell's SupportAssist client had severe security flaws, reveals 17-year old researcher

If you own a Dell PC, you should update your SupportAssist client at the earliest.

Dell's SupportAssist, an inbuilt tool designed to install the right drivers and perform health checks on Dell PCs, had been harbouring two potentially fatal security vulnerabilities since at least September 2018.

The discovery of the two high-risk vulnerabilities was made by a 17-year-old security researcher from Boston, Massachusetts named Bill Demirkapi, when he decided to replace his aging MacBook Pro with a Dell G3.

The first vulnerability, named 'Remote Code Execution Vulnerability (CVE-2019-3719)', allows an unauthenticated attacker to share the network access layer with the vulnerable system, letting the attacker compromise the system by tricking a victim into downloading and executing arbitrary executables using SupportAssist from attacker hosted sites.

Dells SupportAssist client had severe security flaws, reveals 17-year old researcher

Dell logo on the Latitude 7390 2-in-1. Image: tech2

The second vulnerability, called 'Improper Origin Validation (CVE-2019-3718)', allows an authenticated attacker to exploit the vulnerability to attempt one-click attacks on users of affected PCs.

Demirkapi, who recounts his discovery in a blog post, apparently wrote to Dell about the vulnerabilities back in October 2018. Dell soon acknowledged the existence of the vulnerabilities and promised to roll out a fix within the first quarter of 2019.

However, it was only in late April that Dell released an advisory on the matter. As per Dell, SupportAssist Client version 3.2.0.90 (and later) contains resolutions to the reported vulnerabilities. You can find the installer at Dell’s support page for the vulnerability here.

It remains unclear though as to what took Dell so long to patch the vulnerabilities.

Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.






also see

science