Remote Code Execution (RCE) issues in Dell’s client support tool – SupportAssist Client – now means this pre-installed resource could pose a long-term security threat for IT estate leadership. The latest RCE flaw (CVE-2019-3719) has been given a security advisory notice from Dell.
According to ThreatPost:
“The bug, which was discovered by John C. Hennessy-ReCar, could be exploited by an unauthenticated remote attacker who could launch CSRF attacks on users of the impacted systems. CSRF allows an attacker to send malicious commands from one site to another using the credentials of a user that the destination site trusts. Further details on the flaw were not made available.
The computer-maker has had its fair share of security concerns, including last November, when the company warned its Dell.com customers of unauthorized activity on its network. Adversaries attempted to access names, email addresses and hashed passwords — which prompted a reset of all Dell.com customer passwords.”
DELL has published a guidance note, available here, that outlines the affected products, the remedial steps required to fix this security issue and the download links for fixes. If you are worried about patch updates, why not develop your own organisational patch update plan? Computer World provides a live blog which is updated every month with the latest Windows updates – available here.