Article

HP customers vulnerable to software update tool flaw

SearchSecurity.com Staff

A dangerous flaw in Hewlett-Packard Software Update, a tool that automatically updates HP software and drivers, could be exploited by an attacker to read sensitive information or gain access to a system.

    Requires Free Membership to View

Successful exploit requires that the user is tricked into visiting a malicious website using IE6 or earlier.
Tan Chew Keong.
security researcher

The tools contain several ActiveX flaws that could be exploited by tricking Internet Explorer users into visiting a malicious website.

Danish vulnerability clearinghouse Secunia gave the threat a "highly critical" rating in its Secunia SA29966 advisory. Secunia said the potential exposure of system and other sensitive information as well as remote system access warranted the rating.

The vulnerabilities are reported in versions 4.000.009.002 and prior. HP has issued an advisory and an update for the tool to plug the holes. HP said the Software Update tool is often installed as part of software supplied with its PCs, printers, scanners or cameras.

The flaws were discovered by security researcher, Tan Chew Keong. Specifically, the tool has an ActiveX control flaw, which could be exploited by an attacker to cause a stack-based buffer overflow. Keong said the flaws were discovered in March.

"Successful exploit requires that the user is tricked into visiting a malicious website using IE6 or earlier," Keong said in a vuln.sg research advisory. "If the user uses IE7, he must first be convinced into allowing the ActiveX control to run."

A second ActiveX flaw could be exploited to read registry entries or text files. After successfully exploiting the flaw, an attacker could also retrieve system and OS information, Secunia said.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: