Dell laptops confirmed to be affected by serious SupportAssist security flaw
If you have a Dell laptop, stop what you are doing and check what version of Dell SupportAssist you have installed. If its version number is older than 220.127.116.11, then download the latest version immediately; you can find the installer here, which we have taken from Dell Support. Uninstalling it would be a good alternative too.
Why you ask? Well, it turns out that SupportAssist has been open to attackers for a long time, and Dell has only just fixed it. The company markets the software as "the industry’s first automated proactive and predictive support technology" that it has designed to "proactively check the health of your system’s hardware and software". Importantly, Dell pre-installs this is on "most of all new" devices. Putting that abstract statement into context, Dell reported a US$10.9 billion revenue from laptop and PC sales earlier this year according to Bloomberg, so it is talking about installing SupportAssist on millions of computers.
All credit goes to Bill Demirkapi, who found this vulnerability and reported it to Dell. He has a blog that goes into great detail on this matter covers the matter. You can also find him on Twitter @BillDemirkapi.
In short, the security issue that he found centres on how the SupportAssist client communicates with the Dell Support website when finding and installing new drivers. Dell has configured the client to download and automatically install drivers, the files for which can be intercepted. An attacker could then send out their own malicious files and have SupportAssist automatically install them. Demirkapi has released a proof of concept video that we have included below, while Dell has now fixed the vulnerability and published an advisory note, which you can read here.
It is bad enough that it took a teenager to find a security exploit that seems to be by design, but Dell's handling of the issue makes matters even worse. This will have affected millions of computers, yet it took the company almost six months to release a fix from when it first responded to Demirkapi's initial report. He listed the timeline of events as follows:
- 10/26/2018 - Initial write up sent to Dell.
- 10/29/2018 - Initial response from Dell.
- 11/22/2018 - Dell has confirmed the vulnerability.
- 11/29/2018 - Dell scheduled a “tentative” fix to be released in Q1 2019.
- 01/28/2019 - Disclosure date extended to March.
- 03/13/2019 - Dell is still fixing the vulnerability and has scheduled disclosure for the end of April.
- 04/18/2019 - Vulnerability disclosed as an advisory.
Please see Demirkapi's blog for a full explanation of the remote code execution exploit, into which he has outlined fully. Poor show indeed, Dell.