Computerworld - The hacker who posted an exploit very last week that threatened a substantial swath of Hewlett-Packard Co.'s laptop lineup followed up yesterday with new attack code that may "brick" nearly every single HP laptop computer.
In a publish for the milw0rm.com Web site Wednesday, a Polish protection researcher who employed the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX control utilized by HP's Computer software Update,
Office Pro 2010, the patch management method bundled with virtually every single HP- and Compaq-branded laptop.
According to porkythepig's post, the Computer software Update bugs allow an attacker corrupt Windows' kernel files, producing the laptop unbootable, or having a minor more hard work, let hacks that would outcome inside a Personal computer hijack or malware infection. In possibly circumstance, a drive-by assault may be performed by feeding customers an e-mail message using a website link to a malicious Website.
"Every HP notebook machine that contains the HP Software program Updates application is vulnerable," claimed porkythepig. "It is doable the vulnerable machine design listing disclosed from the vendor as a confirmation on the prior problem regarding HP laptops, [the] HP Info Middle situation, will likely be comparable on this situation."
Very last week,
Office Standard 2007, porkythepig disclosed numerous flaws in other software provided with HP's portables. Once the organization patched the vulnerabilities a day later on, it detailed 83 impacted laptops.
The scenario in which an attacker overwrites the kernel and as a result "bricks" the HP or Compaq notebook, was out of the normal, since most hacks intention to snatch control in the machine or infect it with identity-stealing malware. But the crippling attack,
Office 2007 Product Key, said porkythepig, is in fact the less complicated with the two. "This attack vector does not call for any added victim social engineering, since the program files are often positioned inside the predictable places," he said.
A drive-by attack that hopes to execute rogue code, nevertheless,
Genuine Office 2010, requires far more operate. To effectively exploit the ActiveX bug in Application Update and compromise the personal computer, the hacker must know the site of certain files.
The researcher mentioned he had tested the exploit code on Windows 2000, XP, Server 2003 and Vista, and that the vulnerabilities pose a chance to any person with either Web Explorer six (IE6) or IE7 around the Personal computer. Nor will HP have the ability to utilize the down-and-dirty repair it deployed final week, said porkythepig. Soon after he exposed numerous bugs in HP's Information Middle weekly back, HP issued an update that basically disabled the vulnerable software.
"Simple disabling from the susceptible handle by the vendor's patch, like from the other HP computer software vulnerability circumstance, HP Data, [could still] end result inside the machine['s] software program update system [being] compromised, and would leave the user susceptible to foreseeable future protection problems," porkythepig said inside the milw0rm.com write-up.
HP didn't reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz, Technologies Rewind: HP-35/35th Anniversary Edition expected shortly
Robert L. Mitchell, Actuality Check: Ink wars: HP's glass 50 percent empty defense
Robert L. Mitchell, Fact Verify: Kodak vs HP ink wars: Pick your paper wisely
HP unveils its very first Linux laptop
Ken Mingis,
Office 2007 Enterprise, Mingis on Macs: Mac users 'unbearably smug' about protection?
C.J. Kelly's website: Hacking Stupidity 101: In no way hack from residence
The 8 most dangerous client technologies
Read much more about Protection in Computerworld's Protection Matter Center.