Update: Most HP, Compaq notebooks ship with code bugs
Flaws in ActiveX control revealed by hacker who hits HP on 'patent wars'
Computerworld - Nearly two-dozen different laptop models sold by Hewlett-Packard Co. ship with software plagued with multiple zero-day vulnerabilities, security researchers said today.
Later in the day, HP confirmed the bugs and said a patch would be made available Thursday.
The bugs are in an ActiveX control included with the HP Info Center software preinstalled on both HP- and Compaq-branded laptops running Windows 2000, XP, Server 2003 and Vista, Symantec Corp. said in a note to clients of its DeepSight threat network. Info Center is a part of HP's Quick Launch Buttons application, which gives users one-click access to information and configuration details on the portables.
"One of its ActiveX controls deployed by default by the vendor has three insecure methods that allow a malicious person to target the HP notebook machines for a remote code execution- and remote registry manipulation-based attacks," said a researcher using the alias "porkythepig" in posts to both milw0rm.com and the Bugtraq security mailing list.
The posts spelled out the vulnerabilities and included proof-of-concept exploit code.
Symantec recommended that users set the "kill bit" on the ActiveX control until HP produces a patch; that process, however, requires editing the Windows registry, a daunting chore for most. A less effective defense would be to disable Active Scripting in Internet Explorer, Symantec added in the note, since "the primary way to exploit this vulnerability is via a malicious Web page."
Although porkythepig claimed that the defective ActiveX control has shipped with "almost every HP laptop model for [the past] few years," he claimed that 23 different notebooks had been confirmed as running the flawed control. The list included the HP 510 and 530; the Compaq 2710, 2510, 6120, 6220, 6230, 6325, 6510, 6715, 6910, 7300, 8220, 8230, 8440, 8510, 8710 and 9440; and the NC, NW and NX series notebooks.
Hewlett-Packard said it was addressing the flaw. "HP continues actively working as priority a permanent resolution that will fully eliminate this security vulnerability without affecting the functionality of HP Info Center," said company spokesman Mike Hockey in an e-mail. "The permanent resolution is expected to be available as a SoftPaq classified as 'critical' and available on the HP 'Software and Driver Downloads' website."
The hacker also took a shot at HP in the messages on milw0rm.com and Bugtraq. "I think the company so deeply involved in security software patents war should take a bigger care about the users' security than taking profits from the rights to the invention of the circle," said porkythepig. "After all, what are the security software patents worth if it is the user who has the final word about their own software security?"
It was unclear what "patents war" porkythepig referred to, but HP recently settled with Web application security vendor Cenzic Inc. to cross-license multiple patents that had been at the heart of two lawsuits filed by SPI Dynamics Inc., a security testing tools developer acquired by HP in June. The settlement was announced by the two companies Oct. 1, and the lawsuits were immediately dropped.
Related News and Discussion:
- 'Bricking' bug threatens most HP, Compaq laptops
- Evan Koblentz, Technology Rewind: HP-35/35th Anniversary Edition expected soon
- Robert L. Mitchell, Reality Check: Ink wars: HP's glass half empty defense
- Robert L. Mitchell, Reality Check: Kodak vs HP ink wars: Choose your paper wisely
- HP unveils its first Linux laptop
- Ken Mingis, Mingis on Macs: Mac users 'unbearably smug' about security?
- C.J. Kelly's blog: Hacking Stupidity 101: Never hack from home
- The 8 most dangerous consumer technologies
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts