Got an HP laptop or desktop? You'll want to make sure it has the latest HP software patches.
That's because there's a serious flaw in older versions of Touchpoint Analytics, aka HP Device Health Service, a diagnostic program built into most HP PCs running Windows. A user or a program with administrative rights could use Touchpoint Analytics to silently and permanently install malware at the system level, and a limited-user account could also do so in certain cases.
HP fixed this problem with Touchpoint Analytics/HP Device Health Service version 184.108.40.20627 on Oct. 4, but not all HP users may have yet received the update. Peleg Hadar of the security firm SafeBreach has a detailed technical writeup of the flaw in a blog post today (Oct. 10), which we summarize below.
How to make sure you're safe
There are two ways to check and resolve this issue -- one if you have Windows 10, and one if you don't. The second method also works for Windows 10, but is a bit more complicated. Both methods require you to be logged in as an administrator.
If you have Windows 10, right-click the Windows icon at the bottom left of your screen and select Device Manager. Scroll down to and expand the Software Components section. Right-click HP Device Health Service and select Properties. Select the Drivers tab and see which version of HP Device Health Service you have.
You want to have version 220.127.116.1127. If it's lower, then you want to trigger Windows Update to download and install the correct version.
Click the Windows icon at the bottom left of your screen and select the Settings icon -- it looks like a bicycle gear. Click on Updates & Security, then Windows Update if necessary, then click the big Check for Updates button. Windows will take care of the rest.
MORE: Best HP Laptops
If you have an earlier version of Windows, click the Windows icon at the bottom left of your screen, pop up the Start menu and select Control Panel. You can also just type Control Panel into the search field. Find and select Programs and/or Programs and Features. You may also have to select Uninstall a Program. Find HP Touchpoint Analytics Client and see which version number is listed next to it.
Again, you want to have version 18.104.22.16827. If it's lower, you'll have to update it. Unfortunately, Windows Update won't do this for you in pre-Windows 10, so you have to use another tool.
Go back to the bottom left of your screen and type in Administrative Tools. In the Administrative Tools window, double-click Task Scheduler. Right-click TechPulse Updater and select Run.
Going down the wrong PATH
The problem here arises because Touchpoint Analytics/HP Device Health Service uses open-source software called Open Hardware Monitor to access low-level components of a PC such as physical memory and hidden disk partitions. (You can download and install Open Hardware Monitor for yourself here.)
Open Hardware Monitor doesn't specify the location of certain code repositories called dynamic link libraries, or DLLs, and doesn't verify the contents of the DLLs themselves. This makes sense for a universally applicable Windows utility, but when that utility is repurposed as a diagnostics program with deep system privileges, bad things can happen.
When Touchpoint Analytics starts up, it looks for DLLs pertaining to many possible kinds of hardware on a PC, including third-party video cards from AMD/ATI and Nvidia. It searches several likely directories, or file paths, for these DLLs.
Those file paths are specified by a system-wide "environment variable" called PATH that tells Touchpoint Analytics (and many other Windows applications) where to look for DLLs and other executable files.
But if a computer doesn't have a third-party video card, then the proper DLLs won't be found or loaded. Researchers from security firm SafeBreach found they could create fake versions of AMD/ATI and Nvidia DLLs, modify the system-wide PATH environment variable to add new directories into which they'd put the bogus DLLs, and have Touchpoint Analytics choose and load the dodgy DLLs.
This kind of DLL switcheroo is known as a DLL injection, and it makes a program do things it shouldn't. PC gamers sometimes use DLL injection to cheat at games, and malicious hackers can use it to make a program run malicious code. (DLL injection works on Macs and Unix/Linux systems as well as on Windows.)
Because Touchpoint Analytics runs at the system level, it can do anything on a Windows system -- which means any malware loaded into it via DLL injection can too.
So why do we care? Because...
The catch is that on a standard HP Windows machine using the default PATH variable, none of this is possible unless you already have administrative privileges. But of course, if you already have administrative privileges, then you can install malware anyway. So you may be wondering what the outcry is.
Responding to a question from Laptop, Hadar said that the scope of the vulnerability "depends on the PATH environment variable of the victim's operating system."
In other words, if a machine happens to have existing modifications to the PATH environment variable, then Touchpoint Analytics, or implementations of Open Hardware Monitor on other systems, might be able to load malicious DLLs from non-system directories. That would let a user with limited privileges, or malware installed by the account of a limited user, inject a malicious DLL at the system level.
"We've seen some cases which this vulnerability was exploitable by a non-administrator user, because a particular folder in the PATH was writable by non-admin," Hadar told us.
Hadar and SafeBreach found a very similar flaw earlier this year in Dell machines that was also caused by a diagnostic service that used third-party software.
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.