14 DAY TRIAL // Dell’s support tool System Detect has been added to Malwarebyte’s list of potentially unwanted applications (PUP) due to a serious vulnerability in older versions that continue to be installed on users’ computers.
Successful exploitation of the flaw allows an attacker to execute code downloaded from a remote location, without user interaction.
Nasty remote code execution vulnerability
Security researcher Tom Forbes drew attention to this glitch last month, highlighting that System Detect, used to retrieve the service tag of the machine when looking for suitable drivers on the company’s support page, starts with the system after installation.
Forbes discovered that the application verifies that requests come from a domain owned by Dell by simply looking for a “dell” string in the HTTP referrer or origin headers. Since the HTTP referrer includes the entire request URI (host and path included), an attacker could initiate a request from a website that contains the “dell” string.
The application includes a function that permits downloading and launching a file, after the threat actor bypasses an easy-to-break authentication process, thus permitting execution of arbitrary files.
Following Forbes’ disclosure in November 2014, Dell released an updated System Detect tool (version 6.0.9) on January 9, 2015, which mitigated the risk only partially. A newer release (6.0.14) became available last week, which no longer initiates with the system and accepts requests only from the “*dell.com” domain.
Many users are still affected, PUP flag designed to raise awareness
However, a large portion of users did not update and still rely on old, vulnerable versions. With no auto-update mechanism available, they have to complete the task manually, something that has been proven to be troublesome on so many occasions with regards to more critical software (outdated versions of Firefox, Chrome and Flash are still detected, despite the auto-update feature being available in each of them).
Because of the large number of users running older versions of Dell System Detect, Malwarebytes decided to mark the software as a PUP, in an effort to speed up the process of switching to the latest build of the tool.
“However, we at Malwarebytes are pretty sure there are a lot of folks that won’t know about this vulnerability, so we decided to detect it for the sake of raising awareness,” the security vendor says.
According to data from F-Secure, Dell System Detect was found on about 100,000 computers, and only 1% of them were running the current version.
