A dangerous flaw in Hewlett-Packard Software Update, a tool that automatically updates HP software and drivers, could be exploited by an attacker to read sensitive information or gain access to a system.
The tools contain several ActiveX flaws that could be exploited by tricking Internet Explorer users into visiting a malicious website.
Danish vulnerability clearinghouse Secunia gave the threat a "highly critical" rating in its Secunia SA29966 advisory. Secunia said the potential exposure of system and other sensitive information as well as remote system access warranted the rating.
The vulnerabilities are reported in versions 4.000.009.002 and prior. HP has issued an advisory and an update for the tool to plug the holes. HP said the Software Update tool is often installed as part of software supplied with its PCs, printers, scanners or cameras.
The flaws were discovered by security researcher, Tan Chew Keong. Specifically, the tool has an ActiveX control flaw, which could be exploited by an attacker to cause a stack-based buffer overflow. Keong said the flaws were discovered in March.
"Successful exploit requires that the user is tricked into visiting a malicious website using IE6 or earlier," Keong said in a vuln.sg research advisory. "If the user uses IE7, he must first be convinced into allowing the ActiveX control to run."
A second ActiveX flaw could be exploited to read registry entries or text files. After successfully exploiting the flaw, an attacker could also retrieve system and OS information, Secunia said.