Computerworld - The hacker who posted an exploit very last week that threatened a substantial swath of Hewlett-Packard Co.'s laptop lineup followed up yesterday with new attack code that will "brick" almost every single HP laptop.
In a very submit to the milw0rm.com Site Wednesday, a Polish protection researcher who utilised the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX management utilized by HP's Software program Update, the patch management system bundled with virtually every HP- and Compaq-branded laptop computer.
According to porkythepig's submit, the Software Update bugs allow an attacker corrupt Windows' kernel files,
Office 2010 Home And Business Key, generating the laptop computer unbootable, or with a little much more energy, permit hacks that would consequence within a Pc hijack or malware infection. In either case, a drive-by assault might be performed by feeding consumers an e-mail message which has a hyperlink to a malicious Website.
"Every HP notebook machine made up of the HP Software program Updates application is vulnerable," claimed porkythepig. "It is achievable that the vulnerable machine design checklist disclosed by the vendor as a confirmation to the previous situation about HP laptops, [the] HP Information Middle case, is going to be equivalent on this case."
Last week,
Office 2007 Ultimate Key, porkythepig disclosed several flaws in other application integrated with HP's portables. If the organization patched the vulnerabilities a day later, it outlined 83 affected laptops.
The scenario during which an attacker overwrites the kernel and therefore "bricks" the HP or Compaq notebook, was out of the normal, considering that most hacks goal to snatch management in the machine or infect it with identity-stealing malware. But the crippling attack, explained porkythepig, is actually the simpler of the two. "This assault vector doesn't call for any further victim social engineering, because the method files are always placed in the predictable locations," he explained.
A drive-by assault that hopes to execute rogue code, however, requires more operate. To productively exploit the ActiveX bug in Computer software Update and compromise the laptop or computer, the hacker has to know the site of specific files.
The researcher explained he had examined the exploit code on Windows 2000, XP, Server 2003 and Vista, and the vulnerabilities pose a risk to any person with possibly Net Explorer 6 (IE6) or IE7 on the Personal computer. Nor will HP manage to make use of the down-and-dirty resolve it deployed final week, said porkythepig. Following he uncovered several bugs in HP's Info Middle every week back, HP issued an update that just disabled the vulnerable software program.
"Simple disabling from the susceptible control from the vendor's patch, like inside the other HP software vulnerability circumstance, HP Info, [could still] end result in the machine['s] application update method [being] compromised, and would depart the person susceptible to long term protection troubles," porkythepig said from the milw0rm.com write-up.
HP did not reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz, Engineering Rewind: HP-35/35th Anniversary Edition expected soon
Robert L. Mitchell,
Office Enterprise 2007 Key, Actuality Verify: Ink wars: HP's glass 50 percent empty defense
Robert L. Mitchell,
Office 2010 Professional, Reality Examine: Kodak vs HP ink wars: Decide on your paper wisely
HP unveils its first Linux laptop computer
Ken Mingis,
Office 2007, Mingis on Macs: Mac end users 'unbearably smug' about security?
C.J. Kelly's blog: Hacking Stupidity 101: In no way hack from property
The eight most dangerous customer technologies
Read a lot more about Protection in Computerworld's Protection Topic Center.
Office 2010 Home And Business Key 'Bricking' bug t
Linear Mode
