Dell released a security advisory urging customers to update the vulnerable SupportAssist application built into both business and home machines. The privilege escalation vulnerability, assigned CVE-2019-12280, can allow hackers access to sensitive information and control over millions of Dell computers running Windows.
Dell SupportAssist is an application that conducts health checks on system hardware and software. For the tool to work, it needs high permission level access and therefore runs as SYSTEM. Gaining access to SupportAssist via the vulnerability can give outsiders control over a machine and allow them to execute malicious payloads by a signed service or one that is recognized as safe by Microsoft.
The vulnerability was first reported by SafeBreach researchers, who found that SupportAssist does not handle its dynamic link libraries (DLL) securely, making DLL hijacking possible for hackers.
Like many programs, SupportAssist loads DLL files when starting up. However, SafeBreach discovered that the SupportAssist application would load any arbitrary unsigned DLL as long as it shared the same filename as that of a DLL file the software recognizes. This means SupportAssist does not check for the creator and location of the DLL file it is loading. DLL hijacking is made possible in such a scenario, wherein an attacker could replace DLL files with a malicious DLL.
The vulnerability originates from the PC-Doctor third-party component used in SupportAssist. It was first reported to Dell on April 29. Other software products affected by this vulnerability include PC-Doctor Toolbox for Windows, which has several re-branded titles.
Solutions and recommendations
Dell released the patch for the vulnerability on May 28 and reported that around 90% of their customers have already received it. Dell SupportAssist also updates automatically if automatic updates are enabled for the computer.
Users and enterprises alike must continue to remain abreast of new and old vulnerabilities. Cybercriminals will continue to find new ways to exploit even old and patched vulnerabilities on the assumption that many users do not apply the needed patches immediately, if at all.
Enterprises and users can turn to existing technologies for a quicker response to vulnerabilities. Technologies like virtual patching can, for example, protect organizations from attacks based on known and unknown vulnerabilities.
The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.