Portrait Display service makes millions of HP, Fujitsu and Philips notebooks vulnerable
Security researchers at Sec Consult discovered a vulnerability in Portrait Display, a software used by OEMs such as HP and Fujitsu on millions of notebooks.
Portrait Display SDK Service is used by various OEMs such as HP or Fujitsu as an on screen display that provides notebook users with options to tune displays. The core idea behind the service is to provide users with better and more direct display controls.
The application goes under different names, as it is rebranded usually by OEMs when it ships with company notebooks. HP customers may know it as HP Display Assistant, HP Display Control, HP My Display, or HP Mobile Display Assistant, Fujtsu customers as Fujitsu DisplayView Click, and Philips customers as Philips SmartControl.
Portrait Display service vulnerability
Security researchers of Sec Consult discovered that the PdiService's permissions give every authenticated user write access on the service, and that attackers may execute arbitrary code by changing the service's binary path. Additionally, since PdiService is executed with SYSTEM permissions, it results in privilege escalation.
The researchers highlight the method which they used to discover the vulnerability, and how to exploit it on the company blog.
More interesting from a user's point of view is that they offer two solutions to patch customer systems. Users may want to check the installed Services on their Windows machine to find out whether their installation is affected by the issue.
You can launch the Services Manager with a tap on the Windows-key, typing services.msc, and hitting the Enter-key on the keyboard.
Another option, one that may work better, is to run the command sc query pdiservice from the command line to see if it is installed on the device.
Portrait, the developer of the application, released an update version of the software which patches the security issue.
Affected customers may want to head over to the Portrait website to download the security patch and install it on affected devices. Simply run the downloaded file and follow the on-screen instructions to update local files so that they are no longer vulnerable to the described attack.
The second option is to run a command on the local system to remove the Authenticated Users group permission of the service.
- Tap on the Windows-key, type cmd.exe, hold down Shift-key and Ctrl-key, and hit the Enter-key to launch an elevated command prompt.
- Run the following command: sc sdset pdiservice D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
Portrait reacted quickly to the reported vulnerability, and it has released a patch already. This is not always the case when it comes to software that ships with notebooks or desktop PCs. So called bloatware is still a big issue today as it -- usually -- slows down the PC and may introduce security vulnerabilities on top of all that.
This is not the first time that security issues were found in OEM software. Last year, it was discovered that OEM update programs put PCs at risk as well.
My suggestion is, usually, to remove bloatware either manually, or by running programs such as Decrap or PC Decrapifier. (via Born)
Now You: How do you handle bloatware on your systems?
How is this bloatware if it adds functionality which maybe used daily by its users? Especially since it allows users to color calibrate their screens in laptops where displays can’t be configured beyond brightness in Windows. Not everybody is rich enough to buy properly factory calibrated laptops or buy screen calibration tools/software. Nor do they have the time to re-calibrate the screen every time their job requests it, when a software offers profiles to instantly switch them.
Well I guess it can be called crapware since it was crappy in securing its software, but at least it was instantly patched like you mentioned. Please don’t encourage users to use terms wrongly which may mislead them.
And before someone mentions Windows has built-in calibration, that only has basic controls for the average consumer. Not to mention it uses Windows color profiles which do not actually do its job properly enough for advanced users.
Well, there is no official definition of bloatware, and it is obviously possible that users may find some programs that others would call bloatware as useful.
If you ask for my definition, I define bloatware as any software that is added to a computer — be it Windows or Android, or whatever — by an OEM.
Yes, some of these programs are useful, but most are badly designed, slow down the machine, and may even introduce security issues on top of all that.
It also ships with HP desktop monitors.
Hehe… I have the HP monitor; love it, but never install any junk they give with it. All you need is a driver/ICM color profiles and that’s it. I don’t even install the ASUS apps n craps that they suggest to install after installing the Windows. Hell no. Just drivers is all you need :) …not their spying eyes in the name of system apps :D