The HP Support Assistant is a useful software utility provided by HP so that users can download and install necessary firmware and software, check performance related metrics, run some basic troubleshooting, among other things. However, the technology giant has warned that it found a security vulnerability in the application which could lead to privilege escalation using the DLL hijacking method. HP has assigned high severity rating for the new flaw with a CVSS v3.1 base score of 8.2.
The problem is precisely present in its Performance Tune-up diagnostic tool. In its security bulletin, HP explains the issue:
Privilege escalation in HP Support Assistant
HP Support Assistant uses HP Performance Tune-up as a diagnostic tool. HP Support Assistant uses Fusion to launch HP Performance Tune-up. It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up.
HP has also listed the vulnerable software versions that are to be avoided:
HP Support Assistant versions earlier than 9.11
Fusion versions earlier than 1.38.2601.0
Hence, HP PC owners are advised to download and install the HP Support Assistant version 9.11 from the company's official website here.