Vulnerability found and fixed in HP bloatware

hp-chromebook-14a-g5-ports.jpgImage: Sandra Vogel/ZDNet

HP Touchpoint Analytics, an application that comes preinstalled on HP systems, contains a security flaw that could let malware gain admin rights and take over vulnerable systems.

The security flaw was discovered over the summer by security researchers from SafeBreach Labs.

HP has released updates this month to address the issue.

HP desktop and laptop owners are advised to follow instructions detailed in the HP security advisory and update the HP Touchpoint Analytics client at their earliest convenience.

Vulnerability details

The HP Touchpoint Analytics app is what users normally call “bloatware,” a type of software that comes pre-installed on new devices.

The app’s purpose is to collect diagnostics data about hardware performance and send the information back to HP.

As such, the app usually whitelisted and runs with admin rights on HP systems — to be able to access various details from software drivers and other hardware components.

But in a report shared with ZDNet this week, Peleg Hadar, a security researcher with SafeBreach Labs, said he found a way to hijack the application’s normal mode of operation and load malicious DLL files to run rogue code with elevated privileges.

Hadar found what security experts call a local privilege escalation (LPE), a type of vulnerability that’s quite common in modern software.

The vulnerability won’t allow hackers to take over a system from a remote location, but it will allow local apps or malware to funnel malicious commands through its code and execute those operations with full admin rights.

While most LPE vulnerabilities are low risk, this one’s severity is amplified by the app’s huge install-base — being found on hundreds of millions of HP desktops and laptops.

This makes this vulnerability attractive to malware gangs, who will see a real benefit to gain by including it into their future exploit chains.

Controversial app

As ZDNet sister-site TechRepublic pointed out in its coverage, the disclosure of a security flaw in the HP Touchpoint Analytics app will not go down well with HP users.

In the past, users have complained about the app being nothing more than spyware disguised as an analytics app, and about the app slowing down systems on which it was installed [1, 2].

Across the years, HP denied any such rumors and said that users were free to uninstall the app at any time they wished [1, 2].

The HP Touchpoint Analytics vulnerability is the second security flaw that Hadar discovered this year in a vendor’s bloatware. He previously found one that impacted the SupportAssist app that comes pre-installed on Dell systems.

READ MORE HERE