back to article Tens of millions of biz Dell PCs smacked by privilege-escalation bug in bundled troubleshooting tool

Dell has copped to a flaw in SupportAssist – a Windows-based troubleshooting program preinstalled on nearly every one of its newer devices running the OS – that allows local hackers to load malicious files with admin privileges. The company has issued an advisory about the vulnerability, warning that a locally authenticated …

  1. Joe W Silver badge

    Remind me again:

    Why do laptops come preinstalled with CarpWare like that? As if the stoopid "free" games that seem to come bundled with the newest incarnation of MS' attempt at an operating system were not enough....

    (for myself it's not an issue, no windows PCs for me - but I have family, y'know)

    1. ArrZarr Silver badge

      Re: Remind me again:

      Your family who are running on Business Dell laptops?

      1. Joe W Silver badge
        Alert

        Re: Remind me again:

        affects Dell SupportAssist for business PCs version 2.1.3 or earlier and for home PCs version 3.4 or earlier."

        1. tcmonkey

          Re: Remind me again:

          Even if it was just business PCs, how crazy does a business have to be to not re-pave machines before use?

          1. Phil Kingston

            Re: Remind me again:

            Small operations won't have the IT skills/resources/cash/desire to bother with de-bloating lappies before handing them out.

            1. revenant Silver badge

              Re: Remind me again:

              Spot on.

              I help out at a charity for a couple of hours of week. They have no tech support staff, and if they happen to need a new PC, I'm the one who has to set it up for them. I daren't risk fiddling too much with what has been delivered because I wouldn't be able to do a reliable enough job of tailoring the build in the short time available.

              So, I settle for making sure that Windows 10 violates their privacy as little as possible and leave the Dell bloatware as is.

              My ideal would be to save them money and dual-boot their old Windows boxes with Mint - so that they can keep their Word and Excel on the original OS and use Mint for anything else (including internet use) - but the culture shock would be too great.

            2. Mongrel
              Windows

              Re: Remind me again:

              I'd also presume that having and using the supplied bloatware is part of the support contract or warranty support. I mean slapping an offshore call centre in front of a flow chart who's first question is "What does the software say?" saves on their budget.

              **Just cynical guesses on my part, no idea what actually happens here**

              1. jelabarre59 Silver badge

                Re: Remind me again:

                I'd also presume that having and using the supplied bloatware is part of the support contract or warranty support. I mean slapping an offshore call centre in front of a flow chart who's first question is "What does the software say?" saves on their budget.

                But even if you're forced to leave the SW on the system, the next-best option is to make sure the software doesn't auto-load at startup. Only run it when absolutely necessary. If you're having to leave it on corporate desktops, delete the icons for it as well.

                But you don't even have to be a *small* operation to have your system loaded down with crap. I remember seeing the IBM internal MSWin image, where all the bundled applications were loading all their memory/CPU-hogging accessories that the vast majority would never need/use. It was quite obvious whomever was setting up the apps simply clicked past ALL the default settings without even looking at them. Your tech-newbie grandmother could have done a cleaner install.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Remind me again:

                  Considering you have to access to the system or the network to even exploit this. If someone is able to run this exploit you already have a much bigger problem

    2. Halfmad Silver badge

      Re: Remind me again:

      I've never, at home or work failed to wipe and reinstall/image Dells. HPs, Lenovo etc. Hell we even did this with iMacs back in the 90s.

      It's just good to know you are starting from a specific point with all software that's deployed known. I don't trust vendors not to sneak stuff on.

  2. Dr.Flay

    I can always tell if the support centre service has reenabled itself on my Dell laptop, because there is a huge chunk of RAM in use.

    Yay lets waste over 600MB of your resources to do something a good shareware author could fit on a postage stamp.

  3. Ragarath

    Biz PC's!

    Wait, come on, business PCs? Is there anyone that does not immediately wipe and reinstall dell,hp,lenovo any other vendor?

    I assume this is small biz where they may not have the resource to do this.

    1. ecofeco Silver badge

      Re: Biz PC's!

      Many companies create a custom image and then have the vendor image the PCs before shipping. Many large companies are also moving over to 3rd party/vendor management of their PC assets.

      Yes, that's right, they are letting outside companies remote manage their PCs, which makes sense if you are a very small company. But large companies with millions of dollars of IP assets and thousands of employees? Insanity. And god help you if that vendor is also IBM.

      1. Gotno iShit Wantno iShit

        Re: Biz PC's!

        Do I win anything for the full set?

        - Working for a global corporation ~55,000 employees - check.

        - Laptop supplied pre-imaged by Dell - check.

        - Laptop yesterday self-updated SupportAssist for Home PCs without asking - double WTF?

        - Call to IBM to get it removed - painful.

        Sigh :-(

    2. katrinab Silver badge
      Flame

      Re: Biz PC's!

      Yes. My predecessor at the place I work in now.

      Laptops runing Home Edition with all sorts of cr@pware installed including stuff from Sony that displays the latest "news" on the task bar.

  4. Pascal Monett Silver badge
    Facepalm

    "yet another flaw in Dell's SupportAssist software"

    Look, guys, I am very well placed to know that writing good code is not easy, but when you go out of your way to help hackers insert malware, it's kinda on you. Loading a DLL from a non-admin folder ? Who thought that that was a good thing ? In what kind of meeting was that approach approved and for what reason ?

    Or is this another case of rogue engineer ?

    Oh well, at least they found it and patched it.

    1. katrinab Silver badge
      Flame

      Re: "yet another flaw in Dell's SupportAssist software"

      "In what kind of meeting was that approach approved"

      The one where they approve the expenditure

      "and for what reason ?"

      It was the lowest bid they received

    2. Michael Wojcik Silver badge

      Re: "yet another flaw in Dell's SupportAssist software"

      Loading a DLL from a non-admin folder ? Who thought that that was a good thing ?

      Stefan Kanthak has documented (in a series of BUGTRAQ posts) dozens of vendors shipping software that does this.

    3. Michael Wojcik Silver badge

      Re: "yet another flaw in Dell's SupportAssist software"

      at least they found it and patched it

      ITYM "at least Eran Shimony found it and was good enough to tell Dell and get them to patch it".

  5. Claptrap314 Silver badge

    In other news, 1+1=2

    "The more software and services installed on a system, the bigger target presented to those wishing to attack it,"

    1. 2+2=5 Silver badge
      Happy

      Re: In other news, 1+1=2

      And 2+2=5 - even more crapware is disproportionately more vulnerable :-)

      Fortunately I've already protected my corp lappy: Support Assist launched itself, stopped at 'phase 2 scanning' and after 7 hours of no discernable activity I killed it, uninstalled it and went home.

  6. kmedcalf

    Standard Operating Procedure

    I would have thought that the Standard Operating Procedure for *any* device was to completely replace all the installed software/firmware with versions obtained from the manufacturer of that device (which means replacing the OEM crap laden version of Windows with a pristine copy obtained from the Windows manufacturer, Microsoft).

    1. Roland6 Silver badge

      Re: Standard Operating Procedure

      >I would have thought that the Standard Operating Procedure for *any* device was to completely replace all the installed software/firmware with versions obtained from the manufacturer of that device...

      And the easiest way of doing that is once Windows has been installed is to install OEM tools like SupportAssist that download and update the drivers a system needs (which typically aren't the versions MS update tries to install)...

      1. kmedcalf

        Re: Standard Operating Procedure

        Why would anyone do that? Just use the appropriate drivers. No SupportAssist shit required.

      2. jelabarre59 Silver badge

        Re: Standard Operating Procedure

        You could use a utility like DoubleDriver to save all the already-installed drivers on the pre-install image, then save it off to USB/DVD. Once you load the clean install, use the archived drivers you saved off to re-load them, no vendor tools needed.

        And most of the other applications & tools you would want could be installed through Chocolatey. And if you're using some application like MSOffice, well you're already screwed anyway.

      3. kmedcalf

        Re: Standard Operating Procedure

        Assuming a Dell computer and Windows 10:

        1) Download the Windows ISO from Microsoft

        2) Download the Windows 10 Boot DASD drivers if required (they are usually not)

        3) Download the Dell Model Series Driver archive

        4) Boot the Windows 10 ISO and do a clean install, loading the Boot DASD drivers if needed.

        5) Tell Windows to scan the Drivers Disk to install needed drivers.

        6) Install ClassicShell

        7) Run GPEDIT.MSC and set the local policy.

        8) Remove any unwanted Microsoft crapware.

        9) Configure any Windows Features, etc that you need.

        10) Reboot and do not logon. Go make and drink a nice cuppa tea.

        11) Reboot (without having logged on)

        12) Run Windows Update and Reboot and logon again. Repeat until nothing to update.

        The process has been pretty much unchanged for all versions of Windows on all hardware for as long as hardware and Windows have existed.

    2. whitepines Silver badge
      Alert

      Re: Standard Operating Procedure

      completely replace all the installed software/firmware

      How exactly do you propose replacing the firmware on your AMD/Intel PC? Because on those platforms, all firmware updates take the form of asking the preinstalled (opaque, cryptographically locked) firmware to please update itself with this new (opaque, cryptographically locked) file. A malicious firmware would just ignore that request or conveniently copy the malware over to the new firmware.

      Unless you mean "take the entire machine apart, voiding the entire hardware warranty, and get out your Raspberry Pi for some firmware writing action"? Your average beancounter in your average corporation would go into an apoplectic fit just at the first suggestion, and the result probably won't work very well considering the OEM writes some fairly important machine specific data to parts of the stock firmware.

      And when the firmware itself tries to install crapware (Superfish anyone?) repaving the OS won't help one bit, even if Microsoft allows you to do so without the OEM bundled crap or paying for another license.

      And no, I don't use big box (i.e. Dell, Lenovo, etc.) PCs, or Windows, nor does my employer. For these reasons and others. And they do verify firmware, but insist on buying PCs and laptops with open source code to the firmware. It's a bit of a different situation.

      Don't trust the vendor, don't buy their hardware. That advice holds regardless of whether the source is open or closed, but open source helps one trust the vendor more.

      1. whitepines Silver badge
        Facepalm

        Re: Standard Operating Procedure

        Wetware fault, it wasn't Superfish, it was LSE. Still Lenovo, just a different way of screwing your privacy over.

      2. Anonymous Coward
        Anonymous Coward

        Re: Standard Operating Procedure

        Only familiar with HP kit, not so much the others you mentioned.

        I use HP's System Software Manager software. Basically I have a load of drivers for a load of HP kit on a network drive, SSM will go through it all and apply the latest drivers from my stash to the PC/laptop. It can also do BIOS updates as well.

  7. cb7

    Having worked on machines from pretty much all the vendors, I don't like the way Dell's are designed.

    And no, I'm not taking about aesthetics.

    I'm talking about crucial things like:

    Desktops: Non industry standard cases and power supplies.

    Laptops: hard drive connectors that sit on mini daughter boards bolted (I kid u not) to the motherboard. One drop and the connector shears off.

    Poorly designed motherboards that need 5 or more ribbon connectors for peripherals whilst most others get by with one. And don't get me started on buggy firmware that doesn't handle sleep transitions properly resulting in data loss / corruption.

    You couldn't pay me to buy a Dell.

    1. Anonymous Coward
      Anonymous Coward

      To be fair, I haven't heard of Dell using the proprietary PSU pinouts--you know, where a standard PSU would immediately fry the board if you didn't re-pin it before installation--in quite a long time.

      I still wouldn't buy one, but I've built my own for too long to do otherwise. None of the usual OEMs make anything I'd pay for, outside of some vendors that basically do custom stuff... and I'm too cheap to pay someone else to do what I can do myself. (Gotta justify this huge pile of bits 'n bobs I keep around, y'know!)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020