Buy Windows 7 'Bricking' bug threatens most HP, Co

Computerworld - The hacker who posted an exploit final week that threatened a sizable swath of Hewlett-Packard Co.'s laptop computer lineup followed up yesterday with new assault code that will "brick" virtually each and every HP laptop.
Inside a submit for the milw0rm.com Web page Wednesday, a Polish security researcher who utilized the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX manage used by HP's Application Update, the patch management plan bundled with virtually each HP- and Compaq-branded laptop.
According to porkythepig's publish, the Application Update bugs let an attacker corrupt Windows' kernel files, making the laptop computer unbootable, or which has a minor much more energy, enable hacks that will outcome in a Laptop hijack or malware infection. In either situation, a drive-by attack might be performed by feeding users an e-mail message using a link to a malicious Website.
"Every HP notebook machine that contains the HP Software Updates software is susceptible," claimed porkythepig. "It is possible that the vulnerable machine model checklist disclosed through the vendor being a confirmation towards the prior concern regarding HP laptops, [the] HP Info Center case, is going to be related on this scenario."
Last week, porkythepig disclosed multiple flaws in other application integrated with HP's portables. If the business patched the vulnerabilities each day later on, it detailed 83 impacted laptops.
The situation during which an attacker overwrites the kernel and therefore "bricks" the HP or Compaq notebook, was from the ordinary, given that most hacks purpose to snatch management in the machine or infect it with identity-stealing malware. But the crippling assault,Office 2007 Professional Plus Key, said porkythepig, is in fact the simpler in the two. "This assault vector doesn't demand any added victim social engineering, since the system files are often put in the predictable locations," he explained.
A drive-by attack that hopes to execute rogue code, nevertheless, calls for much more operate. To productively exploit the ActiveX bug in Computer software Update and compromise the laptop or computer, the hacker must know the site of selected files.
The researcher stated he had tested the exploit code on Windows 2000,Buy Windows 7, XP, Server 2003 and Vista, and the vulnerabilities pose a threat to any consumer with possibly Web Explorer 6 (IE6) or IE7 on the Pc. Nor will HP manage to use the down-and-dirty repair it deployed previous week, stated porkythepig. Following he unveiled many bugs in HP's Data Center every week in the past,Office 2007 Enterprise, HP issued an update that just disabled the susceptible computer software.
"Simple disabling in the susceptible control through the vendor's patch,Office Professional Plus 2007 Key, like inside the other HP software vulnerability situation, HP Info, [could still] end result inside the machine['s] application update method [being] compromised, and would leave the user vulnerable to foreseeable future protection issues," porkythepig stated inside the milw0rm.com write-up.

HP did not reply to e-mailed requests for confirmation and comment.


Related News and Discussion:
Update: Most HP, Compaq notebooks ship with code bugs
Evan Koblentz, Technology Rewind: HP-35/35th Anniversary Edition anticipated quickly
Robert L. Mitchell, Truth Examine: Ink wars: HP's glass half empty defense
Robert L. Mitchell,Microsoft Office Professional Plus 2010, Reality Verify: Kodak vs HP ink wars: Decide on your paper wisely
HP unveils its 1st Linux laptop
Ken Mingis, Mingis on Macs: Mac consumers 'unbearably smug' about security?
C.J. Kelly's blog: Hacking Stupidity 101: Never ever hack from home
The eight most harmful consumer technologies
Read more about Safety in Computerworld's Safety Topic Middle.