In May, Dell’s SupportAssist troubleshooting PC utility was found to be vulnerable to attacks that could compromises all Dell laptops and desktops. This week Dell disclosed a second flaw (CVE-2019-12280) that could allow both malware and rogue logged-in users to gain administrative privileges and take over victims’ computers. SupportAssist ships with all Dell desktops, laptops and tablets.
Dell’s SupportAssist Isn't Made by Dell
Dell’s SupportAssist application is made by a third-company, PC Doctor. Therefore, this flaw may affect other PC vendors if they're also using software from PC Doctor.
The flaw that allows malicious parties to take over PCs affects Dell SupportAssist for Business PCs version 2.0, as well as Dell SupportAssist for Home PCs version 3.2.1 and all prior versions. Dell has already issued updated versions of the software and has encouraged its customers to update the PC utility as soon as possible. Automatic updates are typically enabled by default, but if that fails, users can download the latest versions of the software from Dell’s website.
Is Dell Taking Customer Security Seriously?
More than one serious vulnerability that hackers could exploit to take over Dell PCs has been found in recent years. At this point we have to wonder if Dell is taking cybersecurity seriously.
The same “feature” in a troubleshooting application that allows a Dell IT support agent to remotely login to a customers’ PC could just as easily be used as a backdoor or a way for a malicious party to also log into that same user’s PC, unless strong protections are added to ensure that either Dell or another party can only ever remotely log into a customer’s PC if that customer first approves it.
Even then, Dell’s IT support agents should have some unique way of authenticating to a user’s PC that no other third-party has. Hackers could still manage to steal those credentials from Dell’s servers, which they may have already done a few months back in a data breach, which is why it’s important for Dell management to think of their customers’ security much more holistically. Making it easy to log into customers' PC, using poorly verified or unverified third-party software and not properly authenticating Dell IT support should be a no-go.
