2

On an OEM Windows install on a Dell XPS 13, when I navigate to the Dell support website, it offers to download and install updates (even firmware updates!) on the spot, in the browser, flaunting all the usual sandboxing. This is Firefox which, to my knowledge, doesn't support any mechanism like ActiveX to make this possible.

How does it work? Is Dell injecting a backdoor into Firefox? Could a malicious website use this "feature" to cause damage?

mm201
  • 123
  • 3
  • The way this *might* work is by registering a custom schema handler. Steam, for instance, does this. You can start a game by clicking a button on the website, which just is an URI `steam://...`, which is then handled by Steam. Likewise, they could register `DellSupport://...` to always open with the SupportAssist application. Keep in mind I did not test this, it's just a guess. –  Apr 16 '19 at 14:20
  • AFAIK, schemas that want to open in an external program will show a confirmation prompt in Firefox, and the external program wouldn't (normally) tamper with the browser. – mm201 Apr 16 '19 at 14:22
  • Can you provide us with a direct link? Most people will not want to search through the whole `dell.com` website to find the application you might be referring to (including me). – Philipp Apr 16 '19 at 14:32
  • 1
    Digging through the inspector, I get the sense it's running a local web server that the webpage talks to over xhr. The link begins with https://www.dell.com/support/home/ . The full link may contain sensitive information. – mm201 Apr 16 '19 at 14:41
  • Yes, schemas require confirmation at first. However, since you said it was pre-installed on your OS, it could be that that schema was already pre-confirmed. –  Apr 17 '19 at 07:22
  • @MechMK1 it's not the schema. See my answer. – ximaera Dec 01 '21 at 15:04

1 Answers1

3

It very well might be.

The way it works, SupportAssist runs its own local HTTP server on your computer, at http://127.0.0.1:8084/ . The Javascript application on the Dell support website calls pages on that server to control SupportAssist and install applications.

Though Dell uses some kind of authentication on that server (you can read about the details here), it was found to be vulnerable before, on multiple occasions, and it won't be any surprise if a new vulnerability would be discovered.

ximaera
  • 3,395
  • 8
  • 23