HP laptops contain ActiveX bugs

By

A number of Hewlett-Packard notebook models are vulnerable to an ActiveX attack that could permit a hacker to execute malicious code.

HP laptops contain ActiveX bugs
A security researcher using the handle porkythepig said in a post today on Milw0rm that the unpatched vulnerability rests in the HP Info Center, pre-installed software that provides system information and is shipped with all HP laptops, mostly its Compaq models.

The researcher posted proof-of-concept code for the attack.

One of [the software's] ActiveX controls deployed by default by the vendor has three insecure methods that allow a malicious person to target the HP notebook machines for a remote code execution and remote registry manipulation-based attacks,” the researcher wrote.

If a victim is duped into visiting a malicious webpage, the attacker could take advantage of vulnerable ActiveX control – HPInfoDLL.dll – which could fire off the exploit.

If the victim goes to a vulnerable website, the website can invoke the ActiveX control and possibly download a trojan or a backdoor or a keylogger on the machine,” Amol Sarwate, director of the vulnerability research lab at Qualys, told SCMagazineUS.com

About 15 different series of HP and HP Compaq notebooks are affected by the bug, according to the Milw0rm post. The machines are widely used in businesses, Sarwate said.

In lieu of a patch, users should set the kill-bit for the affected ActiveX control, according to an advisory today from Secunia, which rated the vulnerability “highly critical.” Users should also avoid visiting untrusted websites, Sarwate said.

An HP spokesperson did not respond to a request for comment.

See original article on scmagazineus.com
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
laptop securitysecurity

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?