Computerworld - The hacker who posted an exploit last week that threatened a sizable swath of Hewlett-Packard Co.'s laptop lineup followed up yesterday with new attack code that may "brick" almost each HP laptop computer.
Within a submit towards the milw0rm.com Site Wednesday, a Polish safety researcher who used the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX management used by HP's Software Update, the patch management system bundled with just about each HP- and Compaq-branded laptop.
In accordance to porkythepig's post, the Computer software Update bugs permit an attacker corrupt Windows' kernel files, producing the laptop computer unbootable, or which has a minor a lot more hard work, allow hacks that may consequence in a very Laptop hijack or malware infection. In either case, a drive-by assault might be executed by feeding customers an e-mail message using a website link to a malicious Web site.
"Every HP notebook machine made up of the HP Application Updates software is susceptible,
Office 2010 Home And Student," claimed porkythepig. "It is possible that the susceptible machine design list disclosed from the vendor as being a confirmation to the past problem regarding HP laptops, [the] HP Info Center circumstance, will likely be comparable during this scenario."
Final week,
Office Home And Student, porkythepig disclosed many flaws in other software provided with HP's portables. When the firm patched the vulnerabilities each day later, it outlined 83 impacted laptops.
The situation in which an attacker overwrites the kernel and therefore "bricks" the HP or Compaq notebook, was out of the regular, considering that most hacks goal to snatch control in the machine or infect it with identity-stealing malware. But the crippling assault, mentioned porkythepig, is in fact the less complicated in the two. "This attack vector isn't going to call for any extra victim social engineering, since the method files are usually positioned inside the predictable spots," he explained.
A drive-by attack that hopes to execute rogue code, nonetheless, requires a lot more work. To effectively exploit the ActiveX bug in Application Update and compromise the computer, the hacker has to know the location of particular files.
The researcher said he had examined the exploit code on Windows 2000, XP,
Microsoft Office 2010 Home And Business, Server 2003 and Vista, and that the vulnerabilities pose a danger to any consumer with possibly Internet Explorer six (IE6) or IE7 within the Pc. Nor will HP be capable of use the down-and-dirty resolve it deployed previous week, stated porkythepig. After he exposed many bugs in HP's Data Center per week ago, HP issued an update that basically disabled the vulnerable application.
"Simple disabling from the vulnerable handle from the vendor's patch, like within the other HP software vulnerability case, HP Info,
Office 2010 Key, [could still] result in the machine['s] application update method [being] compromised, and would leave the user vulnerable to future security problems," porkythepig mentioned within the milw0rm.com write-up.
HP did not reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz, Engineering Rewind: HP-35/35th Anniversary Edition expected shortly
Robert L. Mitchell, Fact Verify: Ink wars: HP's glass fifty percent empty defense
Robert L. Mitchell, Fact Verify: Kodak vs HP ink wars: Decide on your paper wisely
HP unveils its first Linux laptop computer
Ken Mingis,
Windows 7 Activation Key, Mingis on Macs: Mac customers 'unbearably smug' about safety?
C.J. Kelly's blog site: Hacking Stupidity 101: Never ever hack from home
The eight most hazardous client technologies
Read far more about Safety in Computerworld's Protection Subject Middle.
Office Home And Student 'Bricking' bug threatens m
Linear Mode
