Computerworld - The hacker who posted an exploit previous week that threatened a large swath of Hewlett-Packard Co.'s laptop computer lineup followed up yesterday with new assault code that can "brick" virtually each and every HP laptop computer.
In a very submit towards the milw0rm.com Website Wednesday, a Polish protection researcher who used the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX management utilized by HP's Software program Update,
Discount Office 2007, the patch management program bundled with virtually every single HP- and Compaq-branded laptop computer.
In accordance to porkythepig's publish, the Application Update bugs allow an attacker corrupt Windows' kernel files, generating the laptop computer unbootable, or using a tiny far more hard work, permit hacks that would outcome inside a Pc hijack or malware infection. In both case, a drive-by attack might be performed by feeding users an e-mail message with a link to a malicious Web site.
"Every HP notebook machine containing the HP Software Updates application is susceptible," claimed porkythepig. "It is feasible the susceptible machine model listing disclosed from the vendor being a confirmation towards the past issue regarding HP laptops, [the] HP Data Center case, will probably be related in this scenario."
Previous week, porkythepig disclosed numerous flaws in other application integrated with HP's portables. When the company patched the vulnerabilities a day later on, it outlined 83 affected laptops.
The situation through which an attacker overwrites the kernel and thus "bricks" the HP or Compaq notebook, was from the normal, given that most hacks intention to snatch handle with the machine or infect it with identity-stealing malware. But the crippling attack, mentioned porkythepig,
Microsoft Office 2010 Product Key, is really the easier with the two. "This attack vector does not demand any extra victim social engineering, since the technique files are often put inside the predictable locations," he stated.
A drive-by attack that hopes to execute rogue code, however, calls for far more operate. To effectively exploit the ActiveX bug in Software program Update and compromise the personal computer, the hacker needs to know the site of specific files.
The researcher mentioned he had examined the exploit code on Windows 2000, XP, Server 2003 and Vista, and the vulnerabilities pose a chance to any user with possibly Internet Explorer six (IE6) or IE7 around the Computer. Nor will HP be capable of utilize the down-and-dirty correct it deployed final week,
Office Professional 2010 Key, mentioned porkythepig. After he revealed a number of bugs in HP's Data Center weekly back, HP issued an update that basically disabled the susceptible software.
"Simple disabling with the vulnerable manage from the vendor's patch,
Windows 7 Home Premium Key, like in the other HP computer software vulnerability circumstance, HP Information, [could still] result inside the machine['s] computer software update system [being] compromised, and would depart the person susceptible to long term protection concerns," porkythepig stated in the milw0rm.com write-up.
HP didn't reply to e-mailed requests for confirmation and comment.
Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz,
Office Home And Student, Technological innovation Rewind: HP-35/35th Anniversary Edition expected quickly
Robert L. Mitchell, Truth Check out: Ink wars: HP's glass 50 % empty defense
Robert L. Mitchell, Actuality Check out: Kodak vs HP ink wars: Pick your paper wisely
HP unveils its very first Linux laptop
Ken Mingis, Mingis on Macs: Mac consumers 'unbearably smug' about protection?
C.J. Kelly's blog: Hacking Stupidity 101: By no means hack from residence
The eight most hazardous buyer technologies
Read far more about Safety in Computerworld's Safety Matter Center.
Office Home And Student 'Bricking' bug threatens m
Linear Mode
