Computerworld - The hacker who posted an exploit previous week that threatened a big swath of Hewlett-Packard Co.'s laptop lineup followed up yesterday with new assault code that can "brick" nearly every HP laptop.
In a publish to the milw0rm.com Site Wednesday, a Polish protection researcher who employed the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX management utilized by HP's Computer software Update, the patch management system bundled with just about each and every HP- and Compaq-branded laptop computer.
According to porkythepig's post, the Software Update bugs allow an attacker corrupt Windows' kernel files, creating the laptop unbootable, or with a tiny far more hard work, enable hacks that may result in a Pc hijack or malware infection. In both case, a drive-by assault might be carried out by feeding consumers an e-mail message with a link to a malicious Site.
"Every HP notebook machine made up of the HP Computer software Updates software is vulnerable," claimed porkythepig. "It is feasible the vulnerable machine model list disclosed through the vendor being a confirmation to the past issue concerning HP laptops, [the] HP Data Center situation, is going to be similar within this case."
Previous week, porkythepig disclosed multiple flaws in other application provided with HP's portables. If the firm patched the vulnerabilities per day later on, it listed 83 impacted laptops.
The scenario in which an attacker overwrites the kernel and hence "bricks" the HP or Compaq notebook,
Office Professional 2007 Key, was from the normal, considering that most hacks aim to snatch control of the machine or infect it with identity-stealing malware. However the crippling attack,
Window 7, explained porkythepig, is really the simpler from the two. "This assault vector does not demand any further victim social engineering, since the method files are often put from the predictable spots," he stated.
A drive-by attack that hopes to execute rogue code, even so, demands far more perform. To successfully exploit the ActiveX bug in Computer software Update and compromise the computer,
Office Professional Plus Key, the hacker needs to know the location of specific files.
The researcher explained he had examined the exploit code on Windows 2000, XP, Server 2003 and Vista,
Office 2010 Standard Product Key,
Windows7 Ultimate Retailbox Full Version, Windows7 Ultimate Retailbox Full Version Supplier, and that the vulnerabilities pose a threat to any user with either World wide web Explorer six (IE6) or IE7 within the Personal computer. Nor will HP have the ability to make use of the down-and-dirty fix it deployed final week, explained porkythepig. After he exposed numerous bugs in HP's Data Center every week back, HP issued an update that basically disabled the vulnerable application.
"Simple disabling in the vulnerable manage through the vendor's patch, like in the other HP application vulnerability case, HP Data, [could still] result within the machine['s] software program update program [being] compromised, and would leave the person susceptible to foreseeable future security problems," porkythepig explained in the milw0rm.com write-up.
HP did not reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz, Technological innovation Rewind: HP-35/35th Anniversary Edition expected quickly
Robert L. Mitchell, Reality Check: Ink wars: HP's glass 50 % empty defense
Robert L. Mitchell, Truth Check: Kodak vs HP ink wars: Decide on your paper wisely
HP unveils its very first Linux laptop
Ken Mingis,
Office Standard 2010 Sale, Mingis on Macs: Mac consumers 'unbearably smug' about security?
C.J. Kelly's blog site: Hacking Stupidity 101: Never ever hack from property
The eight most harmful consumer technologies
Read a lot more about Protection in Computerworld's Safety Theme Middle.
Office 2010 Standard Product Key 'Bricking' bug th
Linear Mode
