Computerworld - The hacker who posted an exploit very last week that threatened a substantial swath of Hewlett-Packard Co.'s laptop computer lineup followed up yesterday with new assault code that may "brick" virtually each HP laptop.
Inside a submit to the milw0rm.com Site Wednesday, a Polish protection researcher who used the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX control used by HP's Software program Update, the patch management method bundled with nearly each HP- and Compaq-branded laptop computer.
According to porkythepig's post,
Buy Windows 7 Enterprise ‘Free Extra’ License or Product Key for Windows Vista,
Window 7, the Software program Update bugs permit an attacker corrupt Windows' kernel files, making the laptop unbootable, or which has a tiny far more work, enable hacks that might consequence within a Laptop hijack or malware infection. In both case, a drive-by assault might be carried out by feeding consumers an e-mail message using a website link to a malicious Site.
"Every HP notebook machine that contains the HP Computer software Updates software is vulnerable," claimed porkythepig. "It is doable that the vulnerable machine design listing disclosed from the vendor like a confirmation for the earlier concern concerning HP laptops,
Buy Office Standard 2007, [the] HP Info Middle case, will be comparable on this situation."
Previous week, porkythepig disclosed multiple flaws in other software provided with HP's portables. When the company patched the vulnerabilities every day later on,
Buy Office 2007, it listed 83 impacted laptops.
The situation during which an attacker overwrites the kernel and hence "bricks" the HP or Compaq notebook, was from the ordinary, since most hacks purpose to snatch management of the machine or infect it with identity-stealing malware. But the crippling attack, stated porkythepig,
Microsoft Office 2007 Sale, is actually the less complicated in the two. "This assault vector isn't going to require any extra victim social engineering, because the system files are usually put within the predictable locations," he mentioned.
A drive-by assault that hopes to execute rogue code, nonetheless, requires more function. To efficiently exploit the ActiveX bug in Software Update and compromise the personal computer, the hacker needs to know the location of particular files.
The researcher mentioned he had tested the exploit code on Windows 2000, XP, Server 2003 and Vista, and the vulnerabilities pose a danger to any person with both Internet Explorer 6 (IE6) or IE7 around the Laptop. Nor will HP manage to use the down-and-dirty correct it deployed final week, stated porkythepig. After he uncovered many bugs in HP's Data Middle weekly back, HP issued an update that basically disabled the susceptible computer software.
"Simple disabling with the vulnerable management through the vendor's patch, like inside the other HP application vulnerability scenario, HP Data, [could still] outcome within the machine['s] computer software update technique [being] compromised, and would depart the consumer vulnerable to foreseeable future protection troubles," porkythepig said from the milw0rm.com write-up.
HP did not reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz, Technological innovation Rewind: HP-35/35th Anniversary Edition expected shortly
Robert L. Mitchell, Truth Check out: Ink wars: HP's glass half empty defense
Robert L. Mitchell,
Office Professional, Reality Check: Kodak vs HP ink wars: Select your paper wisely
HP unveils its very first Linux laptop computer
Ken Mingis, Mingis on Macs: Mac customers 'unbearably smug' about safety?
C.J. Kelly's blog: Hacking Stupidity 101: Never ever hack from home
The 8 most hazardous buyer technologies
Read much more about Security in Computerworld's Protection Topic Center.
Microsoft Office 2007 Sale 'Bricking' bug threaten
Xia
Linear Mode
