HP bloatware contains flaws that could allow cybercriminals to run code remotely, elevate their privileges and delete arbitrary files after successfully compromising the target device.
This is according to cybersecurity researcher Bill Demirkapi, who claims he notified HP of the flaws in December last year. While some have been patched successfully, others remain, placing owners of HP's Windows PCs at serious risk, Bleeping Computer reported.
The flaws were found in HP Support Assistant, a program that comes pre-installed with every HP device from 2012 onward. It's designed to deliver automated support, updates and fixes to HP devices.
It seems as the only way users can protect their devices is to completely remove the vulnerable software – meaning both HP Support Assistant and HP Support Solutions Framework.
"It is important to note that because HP has not patched three local privilege escalation vulnerabilities, even if you have the latest version of the software, you are still vulnerable unless you completely remove the agent from your machine," Demirkapi explained.
This is not the first time Demirkapi has found vulnerabilities in bloatware - he was also responsible for the discovery of similar flaws in software found in both Lenovo and Dell devices.