HP confirms gaping backdoor on 82 laptop models

Summary:Computer maker Hewlett Packard has fessed up to a gaping security hole on more than 80 laptop models, warning that the backdoor could users at risk of drive-by code execution attacks.

HP confirms gaping backdoor on 82 laptop models
Computer maker Hewlett Packard has fessed up to a gaping security hole on more than 80 laptop models, warning that the backdoor could users at risk of drive-by code execution attacks.

An advisory from HP lists 82 laptop models as vulnerable to the ActiveX vulnerability found on the HP Info Center software.   The issue is rated "critical" and HP laptop owners should be aware that public exploit code that provides a roadmap for exploiting the hole is circulating around the Internet.

A successful exploit simply requires that the laptop owner is lured to a malicious Web site while using Microsoft’s Internet Explorer.  The risks include remote code execution, remote system registry read/write access and remote shell command execution.

It affects laptops running Windows 2000, Windows XP and Windows Vista.

[ SEE: There’s a hole in your laptop, dear HP, dear HP ]

The vulnerable ActiveX control is identified as HPInfoDLL.dll, which is marked as “Safe for Scripting” by default.

HP issued what could best be described as an interim patch that must be manually applied on vulnerable machines.   It does not patch the vulnerability but instead disables the HP Info Center software.Instructions on applying the fix are available at the bottom of HP's advisory.

ALSO SEE:  Zero-day flaw haunts HP laptop models

Topics: Laptops, Hardware, Hewlett-Packard, Mobility

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.