June 25, 2019

Dell PCs running Windows are being shipped with a serious security flaw that gives attackers system-level access to hardware and software.

Dell’s troubleshooting SupportAssist software – a Windows toolkit designed in part to protect your computer from security vulnerabilities – has a vulnerability of its own.

It can be exploited by malware or a rogue insider to gain administrator powers.

The new vulnerability was discovered by security researchers at SafeBreach and disclosed yesterday in a public blog post. Dell has now issued an update to patch it.

SupportAssist is preinstalled on Dell’s home and business computers. It proactively examines the health of a PC’s hardware and software.

Dell has had trouble with SupportAssist before. This time however the vulnerability extends to other laptop manufacturers that (like Dell) use their own white-label version of the same Windows package, which includes a component known as PC-Doctor Toolbox.

According to SafeBreach that could mean more than 100 million affected systems that need immediate patching.

Other companies known to make use of this same component in software packages include office supplies brand Staples, and the gaming company Corsair.

What does it mean for PC users?

Because the SupportAssist tool has admin-level access, it can automatically install updates to Windows machines. A malicious third party could exploit this vulnerability to install malware and hide it inside what are known as dynamic link library files, or DLL files.

Dell’s website says SupportAssist is preinstalled on most of Dell devices running Windows. So until users install the patch from Dell, the vulnerability will continue to threaten millions of Dell PC and other Windows users.

Security awareness training is the best cyber security investment a business can make – Harvard Business Review

SafeBreach haven’t provided proof that cybercriminals exploited the vulnerability, but say there are two key ways it could be exploited by a cybercriminal.

  1. The first is it could give attackers the ability to load and execute ‘malicious payloads by a signed service’ (that is, install malware under the guise of an approved software application).
  2. The second is an attacker or rogue insider could gain access to the PC’s read/write permissions (that is,make the computer run code that it might otherwise reject).

Both exploits would hand over a considerable level of control that could lead to the machine being re-configured to share private information, or gain access to other resources once connected to a company network.

SafeBreach asked the company that makes PC-Doctor how many devices are affected by the vulnerability, but they declined to answer. The PC-Doctor website suggests PC manufacturers ‘…have installed over 100 million copies of PC-Doctor for Windows on computer systems worldwide.’

Your laptop as a Trojan Horse

Cybercriminals could use the exploit to enable a supply chain attack, where malware is embedded into the code of ‘certified safe and approved’ PC software and firmware.

In the last 18 months they’ve become a priority issue in cybersecurity. Targeting software developers and suppliers, the objective is to access source codes, build processes, and mechanisms that use apparently innocent software updates to sneak malware into otherwise safe machines.

Because the software is created by trusted vendors, infected apps like PC Doctor are signed and certified safe. The manufacturers who pre-load the compromised software are unaware that their apps or updates have been infected when they’re released to the public.

Bad code embedded within then runs on company systems with the same trust and permissions as the software itself.

Given the popularity of some applications the number of potential victims is significant. The rewards of a single infection to a widely-used piece software could net hundreds, thousands or as we’ve seen in the SupportAssist vulnerability – tens of millions of victims.

Making life easier for malicious insiders

In the hands of a rogue employee, the PC Doctor vulnerability could enable all kinds of nastiness, from theft of company secrets to data deletion and stealing financial details that could lead to fraud.

Most insider threats arise from simple errors and negligence, but there are criminal insiders who will intentionally nick data or commit other malicious acts for personal gain or financial reward.

Gartner study found that more than 60 percent of criminal insiders were ‘second streamers’ – using hacking as a side hustle to supplement income.

Disgruntled employees may also seek to damage systems, corrupt data, or steal intellectual property out of a desire for revenge.

What can companies do?

To eliminate the threat of rogue insiders, staff training is essential. Harvard Business Review calls security awareness training ‘the best cyber security investment a business can make’. That includes training for everyone from executives to employees, but should also take into account ‘outside insiders’ like white label software suppliers.

On the technical front, when adding new machines to thenetwork or installing regular software and security updates, we follow the old Russian proverb:

Trust, but verify.

Ask software vendors what steps they’ve taken to be able to detect any unwanted changes in their software development processes.

  • Be ready to dry-run new updates in sandboxed test environments to detect any suspicious behaviour.
  • Once certified safe, patch machines quickly.
  • Monitor traffic behaviour on the network to identify odd or adverse patterns, enabling you to block suspicious applications before they do damage
  • Finally, make sure employees are able to identify the signs of unexpected behaviour in the software systems they use every day.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: