Computerworld - The hacker who posted an exploit very last week that threatened a big swath of Hewlett-Packard Co.'s laptop lineup followed up yesterday with new assault code that can "brick" practically every single HP laptop computer.
Within a publish for the milw0rm.com Web site Wednesday, a Polish safety researcher who utilised the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX control utilized by HP's Application Update, the patch management method bundled with practically each and every HP- and Compaq-branded laptop computer.
According to porkythepig's publish,
Office Professional Plus 2007 Product Key, the Software program Update bugs let an attacker corrupt Windows' kernel files, generating the laptop computer unbootable, or which has a little a lot more hard work, allow hacks that would outcome in a Pc hijack or malware infection. In possibly situation, a drive-by assault could be carried out by feeding end users an e-mail message having a website link to a malicious Website.
"Every HP notebook machine that contains the HP Software Updates software is vulnerable," claimed porkythepig. "It is feasible that the susceptible machine design checklist disclosed from the vendor as being a confirmation for the past situation about HP laptops, [the] HP Information Middle scenario, will probably be comparable during this case."
Previous week, porkythepig disclosed several flaws in other computer software integrated with HP's portables. If the business patched the vulnerabilities a day later, it outlined 83 impacted laptops.
The situation through which an attacker overwrites the kernel and as a result "bricks" the HP or Compaq notebook, was out of the regular, since most hacks goal to snatch handle with the machine or infect it with identity-stealing malware. But the crippling assault, said porkythepig, is actually the simpler from the two. "This assault vector does not require any added victim social engineering, because the system files are often put from the predictable places," he said.
A drive-by attack that hopes to execute rogue code, nonetheless, needs much more perform. To successfully exploit the ActiveX bug in Computer software Update and compromise the computer, the hacker needs to know the area of certain files.
The researcher stated he had examined the exploit code on Windows 2000, XP,
Buy Office Professional 2010, Server 2003 and Vista,
Office 2007 Professional Key, and the vulnerabilities pose a threat to any consumer with both Web Explorer 6 (IE6) or IE7 within the Pc. Nor will HP be capable of utilize the down-and-dirty correct it deployed last week, said porkythepig. Soon after he unveiled many bugs in HP's Info Center per week back, HP issued an update that simply disabled the vulnerable application.
"Simple disabling of the susceptible management by the vendor's patch,
Microsoft Office Standard 2010 Key, like within the other HP software vulnerability scenario, HP Info,
Cheap Office Enterprise 2007, [could still] consequence in the machine['s] software update technique [being] compromised, and would leave the user vulnerable to long term protection problems," porkythepig mentioned in the milw0rm.com write-up.
HP didn't reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz, Engineering Rewind: HP-35/35th Anniversary Edition anticipated soon
Robert L. Mitchell, Actuality Examine: Ink wars: HP's glass half empty defense
Robert L. Mitchell, Reality Verify: Kodak vs HP ink wars: Decide on your paper wisely
HP unveils its very first Linux laptop computer
Ken Mingis, Mingis on Macs: Mac consumers 'unbearably smug' about security?
C.J. Kelly's blog site: Hacking Stupidity 101: Never ever hack from property
The eight most risky buyer technologies
Read far more about Security in Computerworld's Security Matter Center.
Microsoft Office Standard 2010 Key 'Bricking' bug
Linear Mode
