Millions of Dell PCs Vulnerable to Attack: Patch Now

UPDATED with comment from Dell and additional information from SafeBreach.

Millions of Dell computers running Windows, and possibly many more computers made by other brands, are vulnerable to a flaw in their internal system-health software that could let hackers take over the machines, according to a new report from Sunnyvale, California-based SafeBreach.

Credit: Laptop Magazine

(Image credit: Laptop Magazine)

In Dell machines, the software is called SupportAssist. It's made by PC-Doctor, a maker of hardware-diagnostics software that licenses its software to other electronic-device makers.

The SafeBreach researchers said PC-Doctor refused to give them a list of its other clients, but the PC-Doctor website states that "leading manufacturers have installed over 100 million copies of PC-Doctor for Windows on computer systems worldwide."

Dell and PC-Doctor have pushed out a firmware update that fixes this issue, which you can install following the instructions on Dell's support page for the SupportAssist flaw. However, you might have to wait for more information regarding devices made by other licensees of PC-Doctor software.

MORE: Best Windows Antivirus

The SupportAssist function is vulnerable because it doesn't securely handle shared-code repositories known as DLLs. To avoid duplication, modern operating systems store pieces of code used by many programs in common repositories called direct link libraries, abbreviated as DLLs in Windows or dylibs in macOS.

Programs load DLL files when they start up, but attackers can set traps by corrupting existing DLLs or substituting malicious DLL files, which then inject malicious code into programs that use those DLLs. Most programs have ways to prevent such "DLL injection," but Dell SupportAssist clearly doesn't, because that's how the SafeBreach researchers were able to attack it.

Because SupportAssist runs as SYSTEM, it has very deep hooks into the operating system, and hijacking its functions would let an attacker do virtually anything on the machine -- especially because it's a "signed" service recognized as safe by Microsoft.

Unfortunately, the software creates an open door for attackers because it searches for a few DLLs that weren't on the Dell machines the SafeBreach team used: AlienFX.dll, atiadlxx.dll, atiadlxy.dll and LenovoInfo.dll.

The last one is interesting because a Dell machine shouldn't contain a file called "LenovoInfo.dll". That may be a clue to the identity of one of PC-Doctor's other clients. "AlienFX.dll" makes more sense because Dell owns gaming-PC-maker Alienware.

Anyhow, because none of those DLLs actually existed on the test machines, the SafeBreach researchers simply created their own files and gave them the names of the missing files. Lo and behold, Dell SupportAssist loaded those files and ran their code, without checking who made the files or where they were located in the system.

SafeBreach said Dell SupportAssist, and presumably PC-Doctor, could mitigate this problem by allowing only DLLs that were "signed" by authorized software makers, and by limiting searches for DLLs to only those folders where specific DLLs are supposed to be.

SafeBreach reported this vulnerability to Dell on April 29, and Dell in turn referred it to PC-Doctor, which got the vulnerability listed in the common vulnerablity database as CVE-2019-12280.

UPDATE: Dell reached out to Tom's Guide to state that "Dell SupportAssist is not made by PC-Doctor. The vulnerability discovered by SafeBreach is a PC-Doctor vulnerability, which is a third-party component that ships with Dell SupportAssist for PCs."

"More than 90% of customers to date have received the update, released on May 28, 2019, and are no longer at risk. Dell SupportAssist updates automatically if automatic updates are enabled, and most customers have automatic updates turned on."

SafeBreach posted an updated version of its findings with the information that several other pieces of software were vulnerable: the aforementioned PC-Doctor Toolbox for Windows, and other versions that SafeBreach said had been "re-branded" as Corsair One Diagnostics, Corsair Diagnostics, Staples Easy Tech Diagnostics, Tobii I-Series Diagnostic Tool and Tobii Dynavox Diagnostic Tool.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.