News Stay informed about the latest enterprise technology news and product updates.

HP customers vulnerable to software update tool flaw

Several flaws in HP Software Update could allow an attacker to read system information or gain access to a machine.

A dangerous flaw in Hewlett-Packard Software Update, a tool that automatically updates HP software and drivers,...

could be exploited by an attacker to read sensitive information or gain access to a system.

Successful exploit requires that the user is tricked into visiting a malicious website using IE6 or earlier.
Tan Chew Keong.
security researcher

The tools contain several ActiveX flaws that could be exploited by tricking Internet Explorer users into visiting a malicious website.

Danish vulnerability clearinghouse Secunia gave the threat a "highly critical" rating in its Secunia SA29966 advisory. Secunia said the potential exposure of system and other sensitive information as well as remote system access warranted the rating.

The vulnerabilities are reported in versions and prior. HP has issued an advisory and an update for the tool to plug the holes. HP said the Software Update tool is often installed as part of software supplied with its PCs, printers, scanners or cameras.

The flaws were discovered by security researcher, Tan Chew Keong. Specifically, the tool has an ActiveX control flaw, which could be exploited by an attacker to cause a stack-based buffer overflow. Keong said the flaws were discovered in March.

"Successful exploit requires that the user is tricked into visiting a malicious website using IE6 or earlier," Keong said in a research advisory. "If the user uses IE7, he must first be convinced into allowing the ActiveX control to run."

A second ActiveX flaw could be exploited to read registry entries or text files. After successfully exploiting the flaw, an attacker could also retrieve system and OS information, Secunia said.

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.