Feeds

'Highly critical' security bug bites HP Virtual Rooms

More ActiveX insecurity

Beginner's guide to SSL certificates

A security researcher has uncovered a serious security bug in a Hewlett-Packard website used to host virtual meetings that could allow an attacker to remotely run malicious code on the machines of people who use the service.

The vulnerability in HP Virtual Rooms resides in the ActiveX client used to install the service on users' PCs, according to this advisory posted Tuesday on the Full-Disclosure mail list. Vulnerability tracking service Secunia rates it "highly critical," because it can be used by attackers to compromise a user's machine.

Over the past year, security slip-ups at HP have put its laptop customers at risk for at least three attacks. Two of them allowed attackers to remotely run malicious code if they could lure victims to a booby-trapped website. A third bug allowed miscreants to render the machine unbootable. The flaws, which HP has since fixed, resided in software that comes pre-installed on machines and is typically used to help users install updates and trouble shoot technical problems.

HP Virtual Rooms is a package of online tools for business collaboration, training and support. Participants can enter rooms to discuss particular projects and collaborate in real-time with colleagues on spreadsheets, video presentations and other jobs.

The bug in HP Virtual Rooms is found in hpvirtualrooms14.dll, which is used to install software needed to make the service work on an end-user's machine. It is likely used only during the installation process, so one possible work-around involves setting the killbit for the control.

The bug was reported by Elazar Broad. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.