Advertisement
Promo

Security threats Toolkit

HP Software Update flaws threaten data leakage

Liam Tung ZDNet Australia

Published: 29 Apr 2008 10:20 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

HP's Software Update tool has been found to contain flaws which can lead to remote code execution or the leakage of sensitive information stored on a PC.

The offending component of the HP Software Update application is the HPeDiag ActiveX control, which checks for and downloads security, firmware, software and driver updates.

The flaw affects any HP PCs, or any PC connected to HP scanners, printers and cameras that contain a version of the update.

Tan Chew Keong from vuln.sg, who advised HP of the flaw in March, said the vulnerable ActiveX controls are installed as part of HP Software Update version 3.0.2.991 when the user installs the Windows software suite for HP Color LaserJet 2820/2840.

However, according to HP's security advisory, the flaw affects a larger set of products, including scanners, printers, cameras and PCs that use HP Software Update. Updates v4.000.009.002 or earlier running on Windows may be exposed to the vulnerability but the problem should be resolved for PCs with update v4.000.010.008 or higher.

"A successful exploit requires that the user is tricked into visiting a malicious website using IE6 [Internet Explorer 6] or earlier. If the user uses IE7, he must first be convinced into allowing the ActiveX control to run," Tan said.

Watch this

Schneier: Security products becoming too specialised
Video Story Video Control Panel

HP has not clarified in its advisory which versions of Internet Explorer are vulnerable to such an attack; however, it does explain how to resolve the problem.

HP has not advised customers to disable ActiveX in Internet Explorer, however the US Computer Emergency Readiness Team (US-CERT) and Tan recommended doing so.

The flawed application is the second threat that HP has exposed its customers to this month. HP previously shipped malware-infected USB drives for its ProLiant servers.

HP was unable to respond to ZDNet.com.au's questions at the time of writing.

Credit: Holes in HP Software Update threaten data leakage from ZDNet Australia

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
8 out of 8 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

1 comment

  1. Update flaws threaten data leakage ator1940

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:





Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Beware of keeping your head in the clo...

Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in... More

1 comment

Civil liberties groups attack file-sha...

Civil liberties and digital rights organisations have strongly criticised Lord Mandelson's Digital Economy Bill. Liberty said in a position paper on Tuesday that the bill, part of... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters