Severe vulnerability in Dell SupportAssist, second time this year

Welcome to the Dell Community  @unBIOSed 

Please check here.

DSA-2019-084: Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs Security Update for PC Doctor Vulnerability

https://www.dell.com/support/article/us/en/04/sln317291/dsa-2019-084-dell-supportassist-for-business-pcs-and-dell-supportassist-for-home-pcs-security-update-for-pc-doctor-vulnerability?lang=en

Best regards,

U2

So here is my question, again:
CAN DELL OFFICIALLY DISPROVE THE FACT THAT ANYONE WHO'S HAD SUPPORTASSIST SHOULD NOW REINSTALL WINDOWS, IN ORDER TO BE SAFE? 

I uninstalled "Support Assist" a while back on my 7572.  I don't touch any DELL driver, so called, "RECOMMENDED or URGENT," updates.  Long story short, you do at your own risk.      If it ain't brook, don't fix it!  Period.

I do the same with all my laptops I have and they perform w/o any problems.  Leave the factory installed software/hardware alone. That's me, for numerous years, via IT instructions.... MAINLY "BIOS" on the MOTHER BOARD.  

I don't have SupportAssist either, because it broke my Windows installation by pushing an automatic update. But tech support installed it again on a clean Windows install, and ran it briefly, when we were updating the drivers, etc. For many other users, though, it's been on the computer from day one, and they never removed it... Plus, there are many people who have had it on their machines, for one duration or another.

So here's my unanswered question to Dell, yet again,

CAN DELL OFFICIALLY DISPROVE THE FACT THAT ANYONE WHO'S HAD SUPPORTASSIST SHOULD NOW REINSTALL WINDOWS, IN ORDER TO BE SAFE? 

unBiosED,

Our first priority is product security and helping our customers ensure the security of their data and systems. The vulnerability discovered by SafeBreach is a PC Doctor vulnerability, a third-party component that ships with Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs. PC Doctor moved quickly to release the fix to Dell, we implemented it and released updates on May 28, 2019 for the affected SupportAssist versions. More than 90% of customers to date have received the update and are no longer at risk. Most customers have automatic updates enabled, which is a general security best practice to keep software and systems up to date. We urge customers to review our security advisory (DSA-2019-084) and turn on automatic updates or manually update their SupportAssist software.

FAQ

Q: When was the fix issued? We implemented the fix from PC Doctor and released updates on May 28, 2019 for the affected SupportAssist versions.

Q: If you’re just now disclosing the vulnerabilities, how did customers know to update SupportAssist? SupportAssist updates automatically if automatic updates are enabled. Most customers have automatic updates enabled. More than 90% of customers have already upgraded to the updated versions and are no longer at risk for these vulnerabilities. We urge all SupportAssist customers to review the security advisory (DSA-2019-084) and, if applicable, download the updates:

Q: Some reports say 100s of millions of users/PCs are at risk. Is that true? No. Several million PCs were originally at risk, but more than 90% of customers have downloaded the update and are no longer at risk.

Q: What are the affected versions? Dell SupportAssist for Business PCs version 2.0, and Dell SupportAssist for Home PCs version 3.2.1 and all prior versions. This is resolved with the latest SupportAssist versions released on May 28, 2019: • Dell SupportAssist for Home PCs version 3.2.2 • Dell SupportAssist for Business PCs version 2.0.1

Q: Where can I find more info? You can view our security advisory for more information: DSA-2019-084. You can also find the latest versions of SupportAssist here: • Dell SupportAssist for Home PCs version 3.2.2 (for single PC users) • Dell SupportAssist for Business PCs version 2.0.1 (for IT managers)

Q: Why did it take you so long to issue a security advisory after you released the patch?

You can view our security advisory for more information: DSA-2019-084. You can also find the latest versions of SupportAssist here: • Dell SupportAssist for Home PCs version 3.2.2 (for single PC users) • Dell SupportAssist for Business PCs version 2.0.1 (for IT managers)

Q: Why did it take you so long to issue a security advisory after you released the patch?

We follow industry best practices to disclose vulnerabilities in a responsible and coordinated fashion. Since the vulnerable component was with PC Doctor, we coordinated with PC Doctor so they could responsibly and fairly alert their other customers to give them a chance to implement the fix as well before we publicly disclosed our fix.

Customers can review our security advisory (DSA-2019-084) and refer to https://dell.to/2YbuW3i for the latest security advisories and notices.

Q: What’s the difference between this vulnerability and the one in late April/early May? The PC Doctor vulnerability affecting Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs is a third-party vulnerability. It requires the potential hacker have user privileges on the vulnerable PC to obtain and exploit administrative privileges.

The vulnerability announced and fixed in late April was a remote code execution vulnerability within SupportAssist for Home PCs. This means an unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via the SupportAssist client from attacker-hosted sites. These vulnerabilities have been fixed.

Q: Is SupportAssist a flawed product? No. SupportAssist proactively checks the health of system hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin. Dell then contacts the customer to start the resolution conversation, preventing issues from becoming costly problems.

We continually and routinely test our products as prevention, product security and the security of our customers’ data and systems are our top priorities. We use in-house teams and third-party vendors to perform vulnerability assessments for our customer applications. We have implemented security checks for validating the signature / request origin, we perform Secure Development Lifecycle (SDL) practices and have integrated security automation and testing into our development process.

Q: Should customers be concerned about using SupportAssist now and in the future? No. SupportAssist helps keep system hardware and software up to date, which is an essential component of general security best practices. We continually and routinely test our products as prevention, product security and the security of our customers’ data and systems are our top priorities. We use in-house teams and third-party vendors to perform vulnerability assessments for our customer applications. We have implemented security checks for validating the signature / request origin, we perform Secure Development Lifecycle (SDL) practices and have integrated security automation and testing into our development process.

Q: What end-products are affected? Dell SupportAssist for PCs is now preinstalled on most new Dell devices running Windows operating system. We urge all SupportAssist customers to review the security advisory (DSA-2019-084) and, if applicable, download the updates.

Q: In general, it seems like the number of security vulnerabilities are growing? Why the increase? While it might seem like the number of security vulnerabilities are growing, we believe the industry as a whole is becoming more transparent in reporting vulnerabilities and following best practices to ensure the security of products and customer data. Dell follows industry standards and best practices for our testing and disclosures, down to the level of details provided in our security advisories and utilizing the security and research community. Our customers expect and deserve this level of transparency and commitment to security. We are continuously evaluating and improving our testing and reporting process and welcome feedback.

Q: What is Dell doing to secure its products and protect its customers? Dell strives to help our customers minimize risk associated with security vulnerabilities in our products by providing customers with timely information, guidance and mitigation to address threats from vulnerabilities.

Continual testing and prevention is a key priority for us. We use in-house teams and third-party vendors to perform vulnerability assessments for our customer applications. We have implemented security checks for validating the signature / request origin, we perform Secure Development Lifecycle (SDL) practices and have integrated security automation and testing into our development process. In addition, we employ a thorough process to continually evaluate and improve our vulnerability response practices. Dell is an active participant in the Software Assurance Forum for Excellence in Code (SAFECode: https://dell.to/2Ylo7fm), the Forum for Incident Response (https://dell.to/2YbivV1) and international standards efforts that are developed for vulnerability disclosure and handling such as ISO 29147 and ISO 30111. See Dell's Vulnerability Response Policy for more information.

@DELL-Jesse L 

unBIOSed,

It is the customer's choice if he/she doesn't like the SupportAssist they can always uninstall the app.