Computerworld - The hacker who posted an exploit last week that threatened a substantial swath of Hewlett-Packard Co.'s laptop computer lineup followed up yesterday with new assault code which will "brick" almost each HP laptop computer.
Within a submit towards the milw0rm.com Web site Wednesday, a Polish security researcher who used the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX control used by HP's Software Update,
Microsoft Office Standard 2007, the patch management plan bundled with nearly each and every HP- and Compaq-branded laptop computer.
In accordance to porkythepig's publish, the Software Update bugs let an attacker corrupt Windows' kernel files, making the laptop computer unbootable, or which has a little a lot more energy, let hacks that may end result inside a Laptop hijack or malware infection. In either scenario,
Office Standard, a drive-by assault could possibly be performed by feeding users an e-mail message with a website link to a malicious Website.
"Every HP notebook machine containing the HP Software program Updates software is susceptible," claimed porkythepig. "It is achievable that the vulnerable machine design list disclosed through the vendor as a confirmation to the earlier issue about HP laptops, [the] HP Information Center case,
Windows 7 Product Key, will be related in this circumstance."
Very last week, porkythepig disclosed multiple flaws in other application incorporated with HP's portables. Once the firm patched the vulnerabilities each day later on, it detailed 83 impacted laptops.
The situation during which an attacker overwrites the kernel and therefore "bricks" the HP or Compaq notebook, was from the regular, since most hacks purpose to snatch handle of the machine or infect it with identity-stealing malware. But the crippling assault,
Office 2010 Activation, stated porkythepig, is actually the less complicated from the two. "This assault vector does not demand any added victim social engineering, since the system files are constantly placed inside the predictable areas," he stated.
A drive-by assault that hopes to execute rogue code, however, calls for far more perform. To effectively exploit the ActiveX bug in Software Update and compromise the computer, the hacker has to know the location of particular files.
The researcher explained he had tested the exploit code on Windows 2000, XP, Server 2003 and Vista,
Office 2007 Pro Plus, and that the vulnerabilities pose a risk to any user with both Internet Explorer six (IE6) or IE7 within the Computer. Nor will HP have the ability to make use of the down-and-dirty correct it deployed final week, explained porkythepig. Soon after he revealed numerous bugs in HP's Information Center a week in the past, HP issued an update that merely disabled the vulnerable application.
"Simple disabling in the vulnerable handle through the vendor's patch, like from the other HP computer software vulnerability case, HP Information, [could still] result from the machine['s] software update technique [being] compromised, and would leave the consumer susceptible to future security issues," porkythepig mentioned in the milw0rm.com write-up.
HP didn't reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz, Engineering Rewind: HP-35/35th Anniversary Edition anticipated soon
Robert L. Mitchell, Truth Check out: Ink wars: HP's glass fifty percent empty defense
Robert L. Mitchell, Truth Examine: Kodak vs HP ink wars: Select your paper wisely
HP unveils its very first Linux laptop computer
Ken Mingis, Mingis on Macs: Mac consumers 'unbearably smug' about protection?
C.J. Kelly's weblog: Hacking Stupidity 101: In no way hack from home
The 8 most risky consumer technologies
Read more about Protection in Computerworld's Security Topic Middle.