Dell quietly patched a security vulnerability that affected millions of users

Computing giant Dell released a security advisory Thursday encouraging customers to patch a software vulnerability the company says could have enabled hackers to access sensitive information on “several million” machines running Microsoft Windows.

The unnamed issue in Dell’s SupportAssist application could have allowed outsiders to take over a machine and read the stored physical memory, according to SafeBreach Labs, a California network security company. Dell released its security patch to fix this issue on May 28, and a spokesperson says more than 90 percent of customers have received the update. Dell waited three weeks to go public with the advisory to allow time for PC Doctor, the third-party supplier behind the component responsible for the vulnerability, to release its own advisory.

SafeBreach did not provide any evidence hackers exploited the vulnerability, but such a flaw would be a tempting target for hackers. The tool comes preinstalled on Dell computers and helps customers check the health of both hardware and software. Those tasks require a high level of permission, and abusing such access would allow an intruder to make other moves to get persistent access, according to SafeBreach researcher Peleg Hadar.

“The vulnerability provides the ability to be loaded and executed by a signed service,” Hadar wrote. “This ability might be abused by an attacker for different purposes such as execution and evasion, for example: application whitelisting bypass [and] signature validation bypassing.” In short, a hacker could get the computer to run code that it might otherwise reject.

When researchers presented their findings to Dell, they learned the vulnerability also affects other original equipment manufacturers that rely on hardware rebranded from PC Doctor, the firm behind the equipment powering Dell’s SupportAssist. PC Doctor did not provide researchers with a list of other computer companies affected. The company did not respond to a request for comment from CyberScoop by press time.

SafeBreach had initially said the vulnerability affected roughly 100 million machines, though Dell disputed that characterization, saying “several million” were at risk.

This disclosure comes after Dell in April patched a security flaw for a vulnerability in SupportAssist that would have rendered users vulnerable to hijack a Dell computer if the two machines shared a local internet connection, ZDNet reported at the time. That vulnerability was reported by a 17-year-old researcher in October 2018.

Even with a patch, it  sometimes takes organizations weeks to mitigate their risk.

Enterprise security teams typically prioritize their patches based on the likelihood it will be exploited, and the possible fallout. Then, fixes generally are implemented only after a round of testing to ensure the updates don’t create unintended consequences. Meanwhile, hackers often begin launching their attacks as soon as possible, corporate security executives told CyberScoop earlier this week.