Hewlett Packard's consumer arm has warned of a serious security flaw in its Touchpoint Analytics software, which - naturally - comes pre-installed on the majority of its machines.
First spotted by security firm SafeBreach, the vulnerability itself exists in the open-source Open Hardware Monitor software - which, unfortunately, a number of manufacturers add in to their software to make monitoring a system's hardware easier. HP is among them, using Open Hardware Monitor as a core part of its Touchpoint Analytics software which comes pre-installed on the majority of its devices.
The result: Almost consumer-centric HP system still running the default Windows install is vulnerable to attack, with successful exploitation allowing for arbitrary code execution while bypassing application whitelist and signature validation security features.
The vulnerability exists in version of the Touchpoint Analytics software - presented to the user as the 'HP Device Health Service' - prior to 22.214.171.12427. Those running an HP system are advised in the company's security bulletin to go into Device Manager, Software Components, and the properties of the HP Device Health Service entry to check the version installed; if it's below 126.96.36.19927, the fixed version can be installed through Windows Update.
'These types of vulnerabilities are alarming because they indicate the ease with which malicious hackers could mount supply-chain attacks targeting and breaching highly trusted elements of our software ecosystem,' claims Itzik Kotler, chief technology officer and SafeBreach co-founder. 'And this should be a clear signal to security teams that they need to increase their frequency of testing and analysis of their security envelope in order to match the pace of criminals who are constantly innovating ways to hack into the most vulnerable parts of IT systems.'
The security alert comes five months after Dell was hit by a similar issue in its SupportAssistant utility.
April 3 2020 | 14:09