A second bug in HP laptop utilities creates a means for hackers to turn PCs into "unbootable" bricks.

Flaws in the automatic software update tool bundled with HP notebooks might be abused to alter vital system files (in the kernel or elsewhere) leaving PC unbootable, according to a post on the milw0rm full disclosure mailing list. The vulnerability reportedly grants remote system arbitrary file write access. It stems from security flaws in an ActiveX control (called EngineRules.dll) that's connected with automatic software updates.

The vulnerability affects HP laptop users running IE 6 or 7 on all supported versions of Windows.

Details were posted on milw0rm forum by "porkythepig", a security researcher using a Polish email address. The same hacker disclosed other bugs involving bundled software on HP laptops last week. HP quickly issued an update that disabled vulnerable components in its Info Centre software. The researcher said such a quick and dirty fix is unlikely to help in the latest case. "Simple disabling of the vulnerable control by the vendor's patch (like in the other HP software vulnerability case - HPInfo) would result in the machine software update system compromise in this case and would leave the user vulnerable to future security issues," he writes. ®

Related stories

• Security bug in HP support app aids hackers (4 June 2008)
• HP biased against BIOS password security (2 June 2008)
• Exploit for 'extremely critical' Yahoo Jukebox vuln goes wild (5 February 2008)
• 'Highly critical' security bug bites HP Virtual Rooms (22 January 2008)
• Hey, HP laptop owners: click here to get hijacked (12 December 2007)
• Rogue ActiveX controls menace users (24 October 2007)
• Buffer the Overflow Slayer v. the ActiveX Files (14 August 2007)
• Third unpatched vuln menaces Word (15 December 2006)