Windows 10 Dell PCs endangered by flaw in pre-installed SupportAssist app

Dell has released an update for two dangerous bugs in its SupportAssist software that it pre-installs on many Windows PCs to check the health of the system’s hardware and software. 

Both of the flaws can be remotely exploited to compromise a Windows system. One of them, CVE-2019-3718, is caused by improper origin validation, and allows a remote attacker without valid credentials to exploit the bug and attempt a cross-site request forgery (CSRF) attack on vulnerable systems. 

The second is a remote code execution (RCE) flaw (CVE-2019-3719) that allows an unauthenticated attacker to share the network access layer with the vulnerable system. 

The attacker would need to trick a victim into downloading and executing a file from a malicious site within the SupportAssist client, according to Dell’s description

The RCE flaw was found by 17 year-old independent security researcher Bill Demirkapi who posted a detailed writeup about the issue