Several critical HP Support Assistant vulnerabilities expose Windows computers to remote code execution attacks and could allow attackers to elevate their privileges or to delete arbitrary files following successful exploitation.

HP Support Assistant, marketed by HP as a "free self-help tool," is pre-installed on new HP desktops and notebooks, and it is designed to deliver automated support, updates, and fixes to HP PCs and printers.

"Improve the performance and reliability of your PCs and printers with automatic firmware and driver updates," HP says. "You can configure your options to install updates automatically or to notify you when updates are available."

HP computers sold after October 2012 and running Windows 7, Windows 8, or Windows 10 operating systems all come with HP Support Assistant installed by default.

https://www.bleepingcomputer.com/news/security/windows-pcs-exposed-to-attacks-by-critical-hp-support-assistant-bugs/ 

Security researcher Bill Demirkapi found ten different vulnerabilities within the HP Support Assistant software, including five local privilege escalation flaws, two arbitrary file deletion vulnerabilities, and three remote code execution vulnerabilities.

HP PSIRT partially patched the vulnerabilities in December 2019 after receiving an initial disclosure report from Demirkapi during October 2019.

Another patch was issued in March 2020 after the researcher sent an updated report in January to patch one of the flaws that was left untouched previously and to fix a newly introduced one.

However, HP failed to patch three of the local privilege escalation vulnerabilities which means that even if you are using the latest HP Support Assistant version, you are still exposed to attacks. 

This type of vulnerability is commonly exploited by malicious actors during the later stages of their attacks to elevate permissions and establish persistence. This allows them to further compromise the targeted machines after the target machine was infiltrated.

"It is important to note that because HP has not patched three local privilege escalation vulnerabilities, even if you have the latest version of the software, you are still vulnerable unless you completely remove the agent from your machine," Demirkapi explained in his detailed technical description

Does anyone know if the HP Support Assistant is based on the same PC-Doctor Toolbox utility as the Dell SupportAssist? PC-Doctor was an HP partner back in the days of my old HP Pavilion / Vista machine per the 2005 announcement <here> but I'm not sure if HP Support Assistant currently uses third-party PC-Doctor libraries on their Win 10 machines.

Similar vulnerabilities have been reported for Dell SupportAssist in the past (see Sergiu Gatlan's 01-May-2019 Dell Computers Exposed to RCE Attacks by SupportAssist Flaws and 10-Feb-2020 Dell SupportAssist Bug Exposes Business, Home PCs to Attacks in BleepingComputer), and Michael Kan's 21-Jun-2019 Pre-Installed 'SupportAssist' Tool on Dell PCs Vulnerable to Bug in PCMagazine notes that:

"...According to Dell's own website, SupportAssist is used by millions of its customers. Unfortunately, the vulnerability impacts other brands as well. That's because the flaw deals with a third-party component in SupportAssist from a company called PC-Doctor, which specializes in producing diagnostic tool software.

In a statement, PC-Doctor said the vulnerability was also found in the company's PC-Doctor Toolbox software for Windows, which has been installed on over 100 million computers from other unnamed PC vendors...".

I don't like having Dell SupportAssist v3.4.5.366 installed on my Win 10 machine, but I've been told by Dell support agents that remote support sessions and uploading of diagnostic logs must be done initiated through the "Get Support" tab of Dell SupportAssist while my Win 10 machine is still under warranty.

------------
64-bit Win 10 Pro v1909 build 18363.720 * Firefox ESR v68.6.1 * Windows Defender v4.18.2003.8 * MB Free v3.8.3
Dell Inspiron 15 5584, Intel i5-8265U@1.60/1.80 GHz, 8 GB RAM, Toshiba 250 GB SSD, Intel UHD Graphics 620