A bug in applications developed using the Portrait Display SDK, v2.30 through 2.34, default to insecure configurations which enable arbitrary code execution, according to Vulnerability Note VU#219739 from CERT at Carnegie Mellon University.
Various apps developed using the Portrait Displays SDK do not use secure permissions when running, the alert explained. "These applications run the component pdiservice.exe with NT AUTHORITY/SYSTEM permissions. This component is also read/writable by all authenticated users. This allows local authenticated attackers to run arbitrary code with system privileges."
According to an advisory from US-CERT, the affected applications, pre-installed on some Fujitsu, HP, and Philips devices, are:
- Fujitsu DisplayView Click: Version 6.0 and 6.01. The issue was fixed in v6.3.
- Fujitsu DisplayView Click Suite: Version 5. The issue is addressed by patch in v5.9.
- HP Display Assistant: Version 2.1. The issue was fixed in v2.11.
- HP My Display: Version 2.0. The issue was fixed in v2.1.
- Philips Smart Control Premium: v2.23, 2.25. The issue was fixed in v2.26.
Users are advised to update affected applications to the latest version.