Dell’s SupportAssist, an inbuilt tool designed to install the right drivers and perform health checks on Dell PCs, had been harbouring two potentially fatal security vulnerabilities since at least September 2018.
The discovery of the two high-risk vulnerabilities was made by a 17-year-old security researcher from Boston, Massachusetts named Bill Demirkapi, when he decided to replace his aging MacBook Pro with a Dell G3.
The first vulnerability, named ‘Remote Code Execution Vulnerability (CVE-2019-3719)’, allows an unauthenticated attacker to share the network access layer with the vulnerable system, letting the attacker compromise the system by tricking a victim into downloading and executing arbitrary executables using SupportAssist from attacker hosted sites.
The second vulnerability, called ‘Improper Origin Validation (CVE-2019-3718)’, allows an authenticated attacker to exploit the vulnerability to attempt one-click attacks on users of affected PCs.
Demirkapi, who recounts his discovery in a blog post, apparently wrote to Dell about the vulnerabilities back in October 2018. Dell soon acknowledged the existence of the vulnerabilities and promised to roll out a fix within the first quarter of 2019.
However, it was only in late April that Dell released an advisory on the matter. As per Dell, SupportAssist Client version 126.96.36.199 (and later) contains resolutions to the reported vulnerabilities. You can find the installer at Dell’s support page for the vulnerability here.
It remains unclear though as to what took Dell so long to patch the vulnerabilities.