Zero-day flaw haunts HP laptop models

Summary:A zero-day hole is several major HP laptop models could provide an easy way for hackers to take complete control of Windows machines, according to a warning from an independent security researcher.

Zero-day flaw haunts HP laptops
A zero-day hole is several major HP laptop models could provide an easy way for hackers to take complete control of Windows machines, according to a warning from an independent security researcher.

The researcher, known as "porkythepig,"  discovered the vulnerability in the HP Info Center software that's preinstalled on multiple HP Compaq notebook series to allow one-touch access to features.

The skinny from a detailed advisory:

One of [the software's] ActiveX controls deployed by default by the vendor has three insecure methods that allow a malicious person to target the HP notebook machines for a remote code execution and remote registry manipulation based attacks.

[ ALSO SEE: There's a hole in your laptop, dear HP, dear HP ]

A successful exploit simply requires that the laptop owner is lured to a malicious Web site while using Microsoft's Internet Explorer.  The risks include remote code execution, remote system registry read/write access and remote shell command execution.

The vulnerable ActiveX control is identified as HPInfoDLL.dll, which is marked as "Safe for Scripting" by default.

The exploit code, which has been posted to Milw0rm.com and BugTraq, includes a list of HP laptop models that are confirmed vulnerable.

The researcher also provides a Web page that detects if your HP machine is vulnerable (use at your own risk).

This is the second time this year that HP has run into security trouble with software that ships with its laptop models. Back in June, the company patched a very serious Help and Support Center vulnerability that put Windows XP machines at risk of code execution attacks.





        
            

Topics: Hewlett-Packard, Hardware, Laptops, Mobility

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.