December 11th, 2007
Zero-day flaw haunts HP laptop models
A zero-day hole is several major HP laptop models could provide an easy way for hackers to take complete control of Windows machines, according to a warning from an independent security researcher.
The researcher, known as “porkythepig,” discovered the vulnerability in the HP Info Center software that’s preinstalled on multiple HP Compaq notebook series to allow one-touch access to features.
The skinny from a detailed advisory:
One of [the software's] ActiveX controls deployed by default by the vendor has three insecure methods that allow a malicious person to target the HP notebook machines for a remote code execution and remote registry manipulation based attacks.
[ ALSO SEE: There's a hole in your laptop, dear HP, dear HP ]
A successful exploit simply requires that the laptop owner is lured to a malicious Web site while using Microsoft’s Internet Explorer. The risks include remote code execution, remote system registry read/write access and remote shell command execution.
The vulnerable ActiveX control is identified as HPInfoDLL.dll, which is marked as “Safe for Scripting” by default.
The exploit code, which has been posted to Milw0rm.com and BugTraq, includes a list of HP laptop models that are confirmed vulnerable.
The researcher also provides a Web page that detects if your HP machine is vulnerable (use at your own risk).
This is the second time this year that HP has run into security trouble with software that ships with its laptop models. Back in June, the company patched a very serious Help and Support Center vulnerability that put Windows XP machines at risk of code execution attacks.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
