Computerworld - The hacker who posted an exploit very last week that threatened a large swath of Hewlett-Packard Co.'s laptop lineup followed up yesterday with new assault code that can "brick" almost every single HP laptop computer.
,
Microsoft Office 2007 Sale
Within a submit to the milw0rm.com Site Wednesday, a Polish safety researcher who employed the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX management used by HP's Software program Update, the patch management system bundled with nearly each and every HP- and Compaq-branded laptop computer.
According to porkythepig's publish,
Office 2007 Key, the Application Update bugs permit an attacker corrupt Windows' kernel files, making the laptop unbootable, or using a little more energy, allow hacks that might consequence in a very Computer hijack or malware infection. In possibly situation, a drive-by attack may be conducted by feeding consumers an e-mail message using a website link to a malicious Web page.
"Every HP notebook machine containing the HP Software Updates software is vulnerable," claimed porkythepig. "It is doable the vulnerable machine model listing disclosed through the vendor as being a confirmation for the prior situation concerning HP laptops, [the] HP Data Center situation, will likely be related within this case."
Last week, porkythepig disclosed several flaws in other computer software included with HP's portables. Once the company patched the vulnerabilities a day later on, it outlined 83 affected laptops.
The situation in which an attacker overwrites the kernel and thus "bricks" the HP or Compaq notebook, was out of the normal, since most hacks goal to snatch handle from the machine or infect it with identity-stealing malware. But the crippling attack, stated porkythepig, is actually the less complicated with the two. "This attack vector isn't going to demand any extra victim social engineering, since the program files are constantly placed in the predictable places," he mentioned.
A drive-by attack that hopes to execute rogue code, however, requires more perform. To efficiently exploit the ActiveX bug in Computer software Update and compromise the computer, the hacker needs to know the area of specific files.
The researcher stated he had tested the exploit code on Windows 2000, XP, Server 2003 and Vista, and the vulnerabilities pose a threat to any user with possibly World wide web Explorer six (IE6) or IE7 around the Pc. Nor will HP be able to use the down-and-dirty fix it deployed previous week, stated porkythepig. Soon after he exposed numerous bugs in HP's Info Center weekly in the past, HP issued an update that basically disabled the vulnerable software program.
"Simple disabling in the vulnerable manage by the vendor's patch, like inside the other HP application vulnerability scenario,
Cheap Office Home And Business 2010, HP Information, [could still] consequence within the machine['s] application update technique [being] compromised, and would leave the consumer vulnerable to future safety troubles,
Buy Windows 7 Home Basic," porkythepig explained within the milw0rm.com write-up.
HP didn't reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz,
Blurring the Line Between Netbook and Notebook, Technology Rewind: HP-35/35th Anniversary Edition anticipated shortly
Robert L. Mitchell,
Windows 7 Professional Product Key, Actuality Check out: Ink wars: HP's glass fifty percent empty defense
Robert L. Mitchell, Fact Check out: Kodak vs HP ink wars: Pick your paper wisely
HP unveils its very first Linux laptop
Ken Mingis, Mingis on Macs: Mac end users 'unbearably smug' about protection?
C.J. Kelly's blog: Hacking Stupidity 101: By no means hack from residence
The eight most risky client technologies
Read more about Protection in Computerworld's Protection Subject Center.
Microsoft Office 2007 Sale 'Bricking' bug threaten
Hybrid Mode
