Computerworld - The hacker who posted an exploit very last week that threatened a sizable swath of Hewlett-Packard Co.'s laptop lineup followed up yesterday with new attack code that may "brick" nearly each and every HP laptop computer.
Inside a publish on the milw0rm.com Web site Wednesday, a Polish security researcher who utilized the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX handle utilized by HP's Software program Update, the patch management method bundled with just about each HP- and Compaq-branded laptop computer.
In accordance to porkythepig's submit, the Software Update bugs allow an attacker corrupt Windows' kernel files, creating the laptop unbootable, or having a little a lot more hard work, enable hacks that may result within a Laptop hijack or malware infection. In possibly case, a drive-by assault might be executed by feeding users an e-mail message using a link to a malicious Web site.
"Every HP notebook machine made up of the HP Application Updates application is susceptible," claimed porkythepig. "It is doable that the susceptible machine design list disclosed by the vendor being a confirmation for the past concern about HP laptops, [the] HP Info Middle circumstance, is going to be equivalent within this situation."
Last week, porkythepig disclosed many flaws in other software program provided with HP's portables. If the organization patched the vulnerabilities each day later, it outlined 83 affected laptops.
The scenario through which an attacker overwrites the kernel and as a result "bricks" the HP or Compaq notebook, was from the ordinary, because most hacks intention to snatch management of the machine or infect it with identity-stealing malware. However the crippling attack, stated porkythepig, is in fact the simpler from the two. "This assault vector does not demand any added victim social engineering, because the method files are usually put inside the predictable spots," he explained.
A drive-by assault that hopes to execute rogue code,
Microsoft Office Professional Plus, however, needs much more work. To successfully exploit the ActiveX bug in Computer software Update and compromise the personal computer, the hacker has to know the place of particular files.
The researcher said he had examined the exploit code on Windows 2000,
Office 2010 Activation Key, XP, Server 2003 and Vista, and that the vulnerabilities pose a threat to any user with both World wide web Explorer 6 (IE6) or IE7 within the Laptop. Nor will HP manage to use the down-and-dirty repair it deployed very last week, stated porkythepig. Right after he exposed many bugs in HP's Data Center a week in the past, HP issued an update that simply disabled the vulnerable software program.
"Simple disabling from the vulnerable control from the vendor's patch, like inside the other HP computer software vulnerability scenario, HP Information, [could still] result in the machine['s] software program update technique [being] compromised,
Office 2010 Home And Student, and would leave the consumer vulnerable to potential security concerns,
Office 2007 Ultimate Key," porkythepig explained inside the milw0rm.com write-up.
HP did not reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP,
Office 2007 Download, Compaq notebooks ship with code bugs
Evan Koblentz, Technologies Rewind: HP-35/35th Anniversary Edition anticipated quickly
Robert L. Mitchell, Truth Verify: Ink wars: HP's glass 50 percent empty defense
Robert L. Mitchell, Actuality Examine: Kodak vs HP ink wars: Choose your paper wisely
HP unveils its 1st Linux laptop
Ken Mingis, Mingis on Macs: Mac consumers 'unbearably smug' about safety?
C.J. Kelly's blog site: Hacking Stupidity 101: Never ever hack from property
The 8 most harmful customer technologies
Read far more about Security in Computerworld's Security Matter Center.
Microsoft Office Professional Plus 'Bricking' bug
Linear Mode
