Update your Dell computer now to avoid RCE security vulnerability in SupportAssist tool
As owners of Dell computers will be only too aware, the company is no stranger to stuffing systems with bloatware. This is in itself is irritating, but when this bloatware includes a security vulnerability that could be exploited by hackers, the irritation becomes rather more serious.
The SupportAssist tool is supposed to provide an easy way to update drivers on Dell computers and laptops, as well as deleting unnecessary files and the like. However, it poses a security risk if you don't install the latest update from Dell to plug a vulnerability. The flaw (CVE-2019-3719) has been assigned a high severity rating of 8.0, and could enabled an attacker to take control of your computer.
- Dell Precision 3540 and 3541 'Developer Edition' mobile workstations come with Ubuntu Linux
- Microsoft, Dell and VMware become partners in the cloud
- Dell XPS 13 (9380) Developer Edition now available with Ubuntu Linux
Dell explains what the problem involves: "An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites".
The risk posed by the vulnerability is somewhat mitigated by the fact that an attacker has to be on the same network, but this is certainly not something that is beyond the realms of possibility.
If exploited, the vulnerability could allow an attacker to take control of a victim's computer.
The security flaw was brought to light by 17-year-old security researcher Bill Demirkapi back in October, and he explains his findings here. Dell issued a patch for the problem late last month, and in an advisory about the flaw says:
Dell SupportAssist Client versions prior to 220.127.116.11 contain an improper origin validation vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSRF attacks on users of the impacted systems.
The solution is to upgrade to the latest version of the tool -- which can be found here -- as soon as possible.