Feeds

Click here to turn your HP laptop into a brick

More bundled software madness

Top three mobile application threats

A second bug in HP laptop utilities creates a means for hackers to turn PCs into "unbootable" bricks.

Flaws in the automatic software update tool bundled with HP notebooks might be abused to alter vital system files (in the kernel or elsewhere) leaving PC unbootable, according to a post on the milw0rm full disclosure mailing list. The vulnerability reportedly grants remote system arbitrary file write access. It stems from security flaws in an ActiveX control (called EngineRules.dll) that's connected with automatic software updates.

Upshot: hackers could, at a push, inject hostile code onto vulnerable systems after tricking users into visiting maliciously constructed websites. It's reportedly easier to carry out a much more unusual attack that corrupts system files and renders compromised systems unbootable.

The vulnerability affects HP laptop users running IE 6 or 7 on all supported versions of Windows.

Details were posted on milw0rm forum by "porkythepig", a security researcher using a Polish email address. The same hacker disclosed other bugs involving bundled software on HP laptops last week. HP quickly issued an update that disabled vulnerable components in its Info Centre software. The researcher said such a quick and dirty fix is unlikely to help in the latest case. "Simple disabling of the vulnerable control by the vendor's patch (like in the other HP software vulnerability case - HPInfo) would result in the machine software update system compromise in this case and would leave the user vulnerable to future security issues," he writes. ®

Seven Steps to Software Security

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.