HP Support Assistant has a DLL Hijacking Vulnerability
HP Support Assistant is a software program that is included on HP computers and notebooks. The program is also available as a standalone download; customers who use HP peripherals, such as printers or scanners, may install it to manage these devices on non-HP PCs.
HP published a HP Support Assistant security advisory on its website on September 6, 2022. According to the information, HP Support Assistant is vulnerable to DLL hijacking.
DLL hijacking is a common attack technique that exploits weaknesses in the DLL loading order on Windows, provided that programs do not specify library paths properly. Attackers may exploit the weakness by placing malicious DLL files in locations that are prioritized over the location of the legitimate DLL file.
Tip: DLL Hijack Detect is an open source tool to detect potential issues in Windows applications regarding DLL hijacking.
HP explains on the security advisory:
HP Support Assistant uses HP Performance Tune-up as a diagnostic tool. HP Support Assistant uses Fusion to launch HP Performance Tune-up. It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up.
The vulnerability has a severity rating of high, the second highest after critical.
HP published an update for its HP Support Assistant software that includes the fix. The company recommends that customers turn on automatic updates to install the latest version. Alternatively, customers may download the latest version of HP Support Assistant from the official website.
The link that HP published at the time of writing is not working; we replaced it with a working one above.
HP Support Assistant 9 for PC requires a PC with Windows 10 or 11. A legacy version is provided for customers who run older versions of Windows. It is unclear from HP's description if the legacy version has received an update as well.
HP lists all versions of HP Support Assistant earlier than 9.11 as affected, which suggests that an update has not been released for the legacy version.
Closing Words
Many PC manufacturers install custom proprietary software on their devices. Some users uninstall these products, as they tend to be very heavy and have limited uses, but the majority of PC users is keeping these installed on their devices.
Now You: do you keep software from the PC's manufacturer installed, or uninstall it?
Thats why I always do a clean install after getting a new laptop(Recovery Partition is kept) to remove OEM crapware besides their Proprietary stuff that needs drivers like Keyboard Keys, etc. Remove any other crapware like Support, Autoupdate, etc.
Also download hardware drivers of gpu, cpu, wifi, bluetooth, etc. from their manufacturers.
In four words: nonsense useless HP bloatware. Thanks for the article. :]
Now You: do you keep software from the PC’s manufacturer installed, or uninstall it?
I always wipe the hard drive and install the operating system from scratch. Then I only install needed drivers downloaded from the PC manufacturer’s website (or device manufacturer. ex Nvidia). And in the process also make sure only the driver is installed and not any additional software. Overall I highly limit installed software on the system to reduce its attack surface and complexity. I also use a software firewall in white list mode where only a few approved applications are allowed outbound or inbound network access (along with a hardware firewall router that blocks all inbound Internet access. ex. GRC ShieldsUp shows stealth mode).
This alert is for older versions of HP Support Assistant, isn’t it?
HP says:
Affected products:
HP Support Assistant versions earlier than 9.11.
Fusion versions earlier than 1.38.2601.0.
The version I have installed is 9.20.22.0
But the “latest” version being offered on HPs site is only 9.19.52.0
What’s with that??
It’s awful using HP’s software. Every time I see offices purchasing HP printers, my heart bleeds. I attempt to avoid using their bloated software by using their universal drivers.
To make matters worse, the use of their Smart Scan software now necessitates creating an online account in order to make a simple scan. My wish is for this business to perish severely.
HP Support Assistant is abysmal software. Especially the the option of installing bios updates is a dangerous nightmare. You just go to the HP support site and fill in the serial number of your machine. Even then it is very confusing. Windows comes to the rescue with auto driver updates. But which brand today has not this stupid kind of software?
Did you just change the default font on gHacks? Suddenly shows up much smaller (at least in Firefox).
@Martin: Never mind. It’s a bug in version 2.3.3 of the Facebook Container add-on for Firefox. Currently being reported on its Github page that it’s breaking body fonts for many users.
Just checked, don’t see this in Firefox or other browsers. Did you try refreshing the page using Shift-Reload?
When you thought you couldn’t possibly hate HP printers any more…
This is not related to printers. This is a software to keep HP systems updated (desktop computers and laptops). Like Windows Update, but for updating HP drivers and bloatware.
“Now You: do you keep software from the PC’s manufacturer installed, or uninstall it?”
Image the drive and throw it into storage then wiping & installing Linux.
@Neo:
Aha! So you DO “keep” it! ;-)