Of a dozen vulnerabilities found in HP Support Assistant, three are still present in the standard software installed on HP computers running Windows as OS.

HP computers come standard with HP Support Assistant, which monitors the device in use. Among the features provided by Support Assistant is the automatic updating of a number of drivers that are present. According to some, the program can be categorized under bloatware (after all, users cannot initially choose whether they want the Support Assistant at all: after all, it is standard on the purchased computer.

At the end of 2019, the image of the Support Assistant was even worse, after a dozen or so security holes were discovered. Six of these were fixed immediately by HP with a patch (in December), but four remained. Cyber security researcher Bill Demirkapi identified the vulnerabilities that were still to be abused, after which HP came up with another patch. Initially, this patch was to be rolled out in early March, but due to the corona virus, it became 21 March. Even after installation of that patch, three of the vulnerabilities remain in the Support Assistant.

Patch

According to the researcher, while HP has attempted to fix two of the vulnerabilities raised with the latest patch, it remains possible to gain access to increased rights to a system. A third, similar vulnerability, was not touched at all with the March patch, according to Demirkapi.

The best measures to take, according to the researcher, are to update the Support Assistant (which is not automatic for the software itself), but it is warned that there will still be three vulnerabilities present in the latest version. According to Demirkapi, the best solution would therefore be to uninstall Support Assistant.