Click here to turn your HP laptop into a brick

More bundled software madness

By John Leyden, 21st December 2007

A second bug in HP laptop utilities creates a means for hackers to turn PCs into "unbootable" bricks.

Flaws in the automatic software update tool bundled with HP notebooks might be abused to alter vital system files (in the kernel or elsewhere) leaving PC unbootable, according to a post on the milw0rm full disclosure mailing list. The vulnerability reportedly grants remote system arbitrary file write access. It stems from security flaws in an ActiveX control (called EngineRules.dll) that's connected with automatic software updates.

Upshot: hackers could, at a push, inject hostile code onto vulnerable systems after tricking users into visiting maliciously constructed websites. It's reportedly easier to carry out a much more unusual attack that corrupts system files and renders compromised systems unbootable.

The vulnerability affects HP laptop users running IE 6 or 7 on all supported versions of Windows.

Details were posted on milw0rm forum by "porkythepig", a security researcher using a Polish email address. The same hacker disclosed other bugs involving bundled software on HP laptops last week. HP quickly issued an update that disabled vulnerable components in its Info Centre software. The researcher said such a quick and dirty fix is unlikely to help in the latest case. "Simple disabling of the vulnerable control by the vendor's patch (like in the other HP software vulnerability case - HPInfo) would result in the machine software update system compromise in this case and would leave the user vulnerable to future security issues," he writes. ®

COMMENTS

House Rules Send Corrections

All Reader Comments (44)

Latest Comments

Posted Thursday 27th December 2007 23:01 GMT

Morely Dotes

@ BatCat

"if you can live with the limitations, switch to linux."

Let's see, what are the limitations again? Oh, yes:

* - The OS and almost any software you'd ever need to run are free.

* - Software updates extremely rarely require a reboot.

* - ActiveX security flaws simply don't exist anywhere except on Windows.

* - It requires a determined effort by a knowledgeable user to get a virus to run on linux.

* - older hardware will work just fine under linux.

* - The RIAA/MPAA don't seem to be aware that linux works quite well to play MP3s and DivX files, and can share them nicely too.

* - any Windows productivity application, and the vast majority of games, can be run on linux, too.

I could go on, but anyone who doesn't already get the point simply doesn't want to.

Posted Tuesday 25th December 2007 06:15 GMT

Martin Walker

linux v windows

I'm a pragmatist, I need my PCs to do my work.

10 or so years ago that meant using cloned unix commands at the DOS prompt.

5 years ago it meant also having a linux box viewed from windows with vnc,

2 years ago it meant making the main desktop linux.

Right now it is down to some resentment that a few things still only work under windows, and that it still can be a horrible and not alway successful fight to get Linux working right.

1 year on it may be very interesting!

Posted Monday 24th December 2007 21:17 GMT

HP = POS

I have a DV4220tx

I will NEVER EVER buy a HP laptop again....

Why:

1- Random power downs

2- A volume control that cannot be muted or turned down until windows boots (great when your working at 3 in the morning and have to restart cause it decided to power off for reasons only know to its self, and yes i have removed the windows startup sound)

3- Finding no thermal paste on the heatsink after deciding to check the CPU cooler for blockages (thinking the power downs were heat related).

4- A raised lid closed switch that sends the laptop into standby when acidentally pressed

and so on and so forth

HP.... I think it stands for HOW PATHETIC

Posted Monday 24th December 2007 17:32 GMT

Anonymous Coward