HP: The ActiveX security follies continue
Fresh off a series of security problems with software included on HP laptops, the company is under the gun again, say security researchers. One common thread: HP vulnerabilities due to ActiveX issues.
The latest HP vulnerability--discovered by security researcher Elazar Broad--involves the HP Virtual Rooms Install. Virtual Rooms is a suite of online collaboration, training and support tools. Several properties are vulnerable to buffer overflows.
In his advisory, Broad writes:
HP uses an ActiveX control to install the Virtual Rooms client. Several properties including AuthenticationURL, PortalAPIURL, cabroot are vulnerable to a buffer overflow.
hpvirtualrooms14.dll version 1.0.0.100 HP Virtual Rooms Install {00000014-9593-4264-8B29-930B3E4EDCCD} Implements IObjectSafety
Secunia rates the flaw "highly critical." The flaw can be exploited to execute arbitrary code. The flaw is unpatched.
If all of these ActiveX problems sound familiar that's because HP vulnerabilities spring up regularly. Last month, a Polish hacker porkythepig found a zero-day vulnerability in HP laptops that leave the PC unbootable. Before that HP confirmed a backdoor on 82 laptop models.
Can we get just a little testing at HP?