Computerworld - The hacker who posted an exploit last week that threatened a substantial swath of Hewlett-Packard Co.'s laptop lineup followed up yesterday with new assault code that can "brick" virtually each and every HP laptop.
,
Microsoft Office Pro Plus 2007
In a post for the milw0rm.com Site Wednesday, a Polish safety researcher who utilized the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX management used by HP's Software Update, the patch management program bundled with practically every HP- and Compaq-branded laptop.
According to porkythepig's post, the Software Update bugs let an attacker corrupt Windows' kernel files, generating the laptop computer unbootable, or which has a small far more hard work, let hacks that would result in a Personal computer hijack or malware infection. In both scenario, a drive-by attack could be carried out by feeding consumers an e-mail message using a link to a malicious Web page.
"Every HP notebook machine containing the HP Application Updates application is vulnerable," claimed porkythepig. "It is doable that the susceptible machine design checklist disclosed from the vendor as being a confirmation for the past situation regarding HP laptops, [the] HP Info Center circumstance, will likely be similar on this circumstance."
Very last week,
Windows 7 Professional Product Key, porkythepig disclosed many flaws in other application provided with HP's portables. Once the business patched the vulnerabilities each day later on,
Purchase Windows 7, it listed 83 affected laptops.
The scenario during which an attacker overwrites the kernel and hence "bricks" the HP or Compaq notebook,
Microsoft Office Pro Plus, was out of the ordinary, given that most hacks aim to snatch handle with the machine or infect it with identity-stealing malware. However the crippling attack, said porkythepig, is in fact the simpler from the two. "This attack vector doesn't demand any extra victim social engineering, since the method files are always positioned from the predictable areas," he mentioned.
A drive-by assault that hopes to execute rogue code,
Office 2007 Keygen, nonetheless, calls for far more function. To productively exploit the ActiveX bug in Software program Update and compromise the laptop or computer, the hacker must know the location of specific files.
The researcher explained he had tested the exploit code on Windows 2000, XP, Server 2003 and Vista, and that the vulnerabilities pose a chance to any consumer with either Web Explorer 6 (IE6) or IE7 to the Personal computer. Nor will HP be capable of make use of the down-and-dirty repair it deployed previous week, said porkythepig. Following he unveiled a number of bugs in HP's Information Center weekly in the past, HP issued an update that just disabled the vulnerable software.
"Simple disabling of the susceptible manage by the vendor's patch, like within the other HP software program vulnerability scenario, HP Information, [could still] outcome from the machine['s] software program update program [being] compromised, and would leave the consumer susceptible to long term safety problems," porkythepig stated within the milw0rm.com write-up.
HP didn't reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz, Technology Rewind: HP-35/35th Anniversary Edition expected shortly
Robert L. Mitchell, Truth Examine: Ink wars: HP's glass 50 percent empty defense
Robert L. Mitchell, Fact Verify: Kodak vs HP ink wars: Pick your paper wisely
HP unveils its 1st Linux laptop
Ken Mingis, Mingis on Macs: Mac consumers 'unbearably smug' about safety?
C.J. Kelly's website: Hacking Stupidity 101: In no way hack from residence
The 8 most risky consumer technologies
Read more about Security in Computerworld's Safety Subject Center.
Office 2007 Keygen 'Bricking' bug threatens most H
Linear Mode
