HP is the latest company to run into a serious security snafu with vulnerable software that comes pre-installed on all new HP computers potentially leaving owners open to hackers.
The software in question is ironically the HP Support Assistant, which is supposed to users with firmware and driver updates. The software had a number of vulnerabilities identified all the way back in October of last year and to date, HP has been unable to patch all of them (via TechRadar).
The remaining vulnerabilities
Out of ten original vulnerabilities that were identified by security researchers in October 2019, HP has managed to address seven of them with a couple of software updates. Critically, this included three vulnerabilities that could be executed remotely. Those that remain are local privilege escalation vulnerabilities.
With the proper malware, these flaws could be utilized to elevate permissions following an exploit which would, in turn, allow them to dig deeper on the already-compromised computer.
According to Bill Demirkapi, the security researcher who uncovered the flaws, "It is important to note that because HP has not patched three local privilege escalation vulnerabilities, even if you have the latest version of the software, you are still vulnerable unless you completely remove the agent from your machine."
What you should do
HP has been unable to fix the problem with patches or updates, but there is a solution to the problem to keep your system safe: remove HP Support Assistant and HP Support Solutions Framework entirely until HP is able to patch the problem.
Fortunately, this is a simple enough task:
- Go to Settings
- Select Apps and then Apps & features
- Select HP Support Assistant from the list
- Click Uninstall and then confirm Yes in the dialog box
- Repeat for HP Support Solutions Framework
- Restart your computer