Feeds

Click here to turn your HP laptop into a brick

More bundled software madness

SANS - Survey on application security programs

A second bug in HP laptop utilities creates a means for hackers to turn PCs into "unbootable" bricks.

Flaws in the automatic software update tool bundled with HP notebooks might be abused to alter vital system files (in the kernel or elsewhere) leaving PC unbootable, according to a post on the milw0rm full disclosure mailing list. The vulnerability reportedly grants remote system arbitrary file write access. It stems from security flaws in an ActiveX control (called EngineRules.dll) that's connected with automatic software updates.

Upshot: hackers could, at a push, inject hostile code onto vulnerable systems after tricking users into visiting maliciously constructed websites. It's reportedly easier to carry out a much more unusual attack that corrupts system files and renders compromised systems unbootable.

The vulnerability affects HP laptop users running IE 6 or 7 on all supported versions of Windows.

Details were posted on milw0rm forum by "porkythepig", a security researcher using a Polish email address. The same hacker disclosed other bugs involving bundled software on HP laptops last week. HP quickly issued an update that disabled vulnerable components in its Info Centre software. The researcher said such a quick and dirty fix is unlikely to help in the latest case. "Simple disabling of the vulnerable control by the vendor's patch (like in the other HP software vulnerability case - HPInfo) would result in the machine software update system compromise in this case and would leave the user vulnerable to future security issues," he writes. ®

SANS - Survey on application security programs

More from The Register

next story
WTF happened to Pac-Man?
In his thirties and still afraid of ghosts
Reg man builds smart home rig, gains SUPREME CONTROL of DOMAIN – Pics
LightwaveRF and Arduino: Bright ideas for dim DIYers
Leaked pics show EMBIGGENED iPhone 6 screen
Fat-fingered fanbois rejoice over Chinternet snaps
Microsoft signs Motorola to Android patent pact – no, not THAT Motorola
The part that Google never got will play ball with Redmond
Happy 25th birthday, Game Boy!
Monochrome handset ushered in modern mobile gaming era
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Slip your finger in this ring and unlock your backdoor, phone, etc
Take a look at this new NFC jewellery – why, what were you thinking of?
US mobile firms cave on kill switch, agree to install anti-theft code
Slow and kludgy rollout will protect corporate profits
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.