Zero-day flaw haunts HP laptop models

Zero-day flaw haunts HP laptop models

Summary: A zero-day hole is several major HP laptop models could provide an easy way for hackers to take complete control of Windows machines, according to a warning from an independent security researcher.

SHARE:

Zero-day flaw haunts HP laptopsA zero-day hole is several major HP laptop models could provide an easy way for hackers to take complete control of Windows machines, according to a warning from an independent security researcher.

The researcher, known as "porkythepig,"  discovered the vulnerability in the HP Info Center software that's preinstalled on multiple HP Compaq notebook series to allow one-touch access to features.

The skinny from a detailed advisory:

One of [the software's] ActiveX controls deployed by default by the vendor has three insecure methods that allow a malicious person to target the HP notebook machines for a remote code execution and remote registry manipulation based attacks.

[ ALSO SEE: There's a hole in your laptop, dear HP, dear HP ]

A successful exploit simply requires that the laptop owner is lured to a malicious Web site while using Microsoft's Internet Explorer.  The risks include remote code execution, remote system registry read/write access and remote shell command execution.

The vulnerable ActiveX control is identified as HPInfoDLL.dll, which is marked as "Safe for Scripting" by default.

The exploit code, which has been posted to Milw0rm.com and BugTraq, includes a list of HP laptop models that are confirmed vulnerable.

The researcher also provides a Web page that detects if your HP machine is vulnerable (use at your own risk).

This is the second time this year that HP has run into security trouble with software that ships with its laptop models. Back in June, the company patched a very serious Help and Support Center vulnerability that put Windows XP machines at risk of code execution attacks.



Topics: Hewlett-Packard, Hardware, Laptops, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • HP Pavilion Notebook zv6130us and HP Info Center

    Even if I have an HP Pavilion Notebook zv6130us, I don't have HP Info Center installed in my laptop. Is it only for newer laptops?
    Grayson Peddie
    • This must be old news...

      I got my installation patched clear back in June; if I remember correctly. If you don't have it installed, I wouldn't worry about it. The driver updater only works half the time, and is inaccurate. Your better off going to the site and manually updating your unit yourself.
      JCitizen
  • RE: Zero-day flaw haunts HP laptop models

    Anyone who doesn't disable - and then uninstall - all of the craplets that come pre-installed on major brand computers before ever connecting it to the internet pretty much deserves what they get. The only "safe" way to approach computing these days is with a clean OS install, a good security suite and whatever office apps, etc you need. Shareware, trialware, freeware, adware and file-swapping software inevitably introduce both security vulnerabilities and system stability issues.
    craig-wilson
    • Rediculous statements..

      That first sentence is more idiotic than the actions of a person who buys a computer and believes they can use it without being a technician. If only computer techs bought computers, the companies would all go out of business. People need to know enough to download and install security updates, not reformat and reinstall from scratch.
      Etch44
    • Agreed

      I know that from HP's point of view all this preinstalled stuff looks attractive, but I consider it negative advertising, and I don't recall receiving any benefit from any of this aggravating stuff. "Oh goody, look at all this free software","how nice of HP to put in their own help files","HP updates, cool". Install my OS of choice, no problem. That is actually quicker and less of a PITA than trying to uninstall all the misc.
      Louis.Ross
    • I'm still using more than half of those "craplets"

      They work better than the full house retail box versions of the same software. I have already patched all vulnerablilities for these utilities; this news article is out of date. Since March 2005 in fact, for HP crap; and June 2006 for 3rd party crap.
      JCitizen
  • RE: Zero-day flaw haunts HP laptop models

    Well, it is off topic but HP-compaq had shipped a model pressario v3225au (I was stupid enough to buy that!)that has 64 bit Hardware (AMD 64 Turion)but Unbelievingly, the bundled OS is Vista Home basic 32 Bit!
    raviratlami
    • No Worrys! The 64 bit O/S would have given you heaps of problems

      NT
      pingu3
      • Probably correct for Vista x64 but..

        for XP x64 my HP laptop literally screams in performance! So far the only driver issue I have is for the dial up modem and I will never use it anyway.

        People should hold out for the XP x64 as it is directly related to server 2003 NT technology. With just a few freeware utilities it could be every bit as secure as Vista.

        Arguments to the contrary are welcome.

        Hopefully Vista will die on the vine and Microsoft will resurect XP x64 as a smart marketing move.
        JCitizen
    • standard practice, thanks to the x64 driver issues that were out there...

      really, all of the issues that were had by the early adopters of x64 software were enough that you'll be hard pressed to find a vendor who ships x64 software without A) warning you, or B) having you specifically CHOOSE the software...

      There's not generally enough of a compelling argument for the vendors to set x64 as the default.
      shryko
  • Overall flaws haunt HP laptop models

    HP laptops seem to have more issues than just security to worry about. Makes me wonder who's in their testing department. A recent HP laptop purchase of mine just wiped out all files while doing an HP update and restarting. A replacement HP laptop wouldn't even fully initialize from factory settings out of the box without reporting errors in the HP Total Advisor Software. There was nothing HP or I could do to remedy the errors. HP's support is stumped. HP is not the quality company of yore!
    moxnix2
    • Compaq Craptops

      I bought a Compaq laptop for my daughter in July 2005. About Thanksgiving 2005, it decided not to power on. It was in warranty, so HP fixed it. About Thanksgiving 2006, the same thing seemed to happen again. As it was out of warranty, I still haven't bothered trying to fix it.

      I just bought another laptop for myself last weekend and you can bet it wasn't an HP or Compaq.
      Pony99CA
  • Other makers have similar?

    IBM/Lenovo laptops have the "IBM Access Center", part of which checks back to "HQ" for messages, updates, etc. I would assume there may be a similar vulnerability? I have distrust of *any* s/w that makes or allows a connection back to "home" in order to give me updates, because it is just another opening in the armor.
    Techboy_z
    • Yep. IBM/Lenovo had a problem with Apcon~1.dll

      Norton used to detect this on PCs out-of-the-box! (back in 2003)

      IBM (and or Symantec) fixed this one - I think that they renamed the dll!!!

      Now that the hackers have been made aware of the name of the HP one - maybe HP will do the same?
      pingu3
    • Windows Update

      Windows update?
      Mahegan
  • Bloatware

    HP got what was coming to them. Ever tried installing one of their printer drivers? Pure bloat. Anyway, hope this news lowers their sales, as that may be one avenue to getting them to reduce all the bloat. Just a thought, since most people delete the crap anyway, wouldnt they save money on programmers? ah well...
    smarmybastard
    • Deleting Pre-Installed Software

      I really doubt that "most people delete the crap". Most people who buy PCs probably wouldn't bother (or they'd worry they'd break someething else if they did). I wonder if most corporate IT departments even bother to delete the stuff.

      I'm a very knowledgeable computer person (a Windows software developer) and I don't bother deleting anything unless I need the disk space, use a different-but-equivalent product or hear bad things about the program.

      Complain about bloat all you want, but some people probably consider the extras as a selling point, which is why OEMs include them. (Plus, they probably get kickbacks on many of the programs they pre-install.)
      Pony99CA
      • Agreed, as I posted earlier I am still using allmost ...

        all the "crapware" that HP pre-installs on their laptops. They work better than the full blown retail applications; and better yet they are free. I doubt these companies will continue along this line as it is undermining the need to buy their worthless retail box edition software.
        JCitizen
        • Your HP applications...

          ...are normally retail sold software packages that freeware online beats the crap out of, in performance AND functionality...
          A_Pickle
          • True, but to clarify, I am talking about 3rd party...

            applications like Sonic's video software and the like. The retail MyDVD package is junk compared to the free one I got from my HP purchase. Nero and Sonic's retail box software is bloated and downrated on every site I have checked on so far.

            I've never had so many slowdowns and BSOD's as I had evaluating Nero 7.
            JCitizen