If you own an HP laptop and haven't blitzed the default install, now might be the time to do so. A post to the
milw0rm.com vulnerability database contains details of a vulnerability in the software supplied by HP which can allow remote users to run arbitrary executables on your pride and joy.
The problem lies with the HP Info Center, an ActiveX based tool provided by HP for support purposes. Although the software is designed to help users fix problems they may have, it seems that it has a few bugs which could have exactly the opposite effect.
The Info Center ActiveX control is marked by default as “Safe for Scripting”, which means it is tied into Internet Explorer and has full system access.
Because the flaw lies in the HP Info Center package and not the host operating system, your system could be vulnerable whether you're running any version of Windows and even if you're fully up to date with patches and service packs.
All that is needed for a cracker to execute code on your system is for you to be lured to a malicious link in Internet Explorer – once you've clicked, your system is theirs. Users of alternative browsers such as
Firefox are not thought to be at risk, especially if you use the excellent
NoScript add-on.
HP has yet to comment on the vulnerability, so to protect your systems it might be a good idea to switch your browser to one that doesn't use ActiveX until such time as they acknowledge the issue and release a fix.
If you're feeling technical, milw0rm.com have all the
juicy details.
Any HP users out there feeling a bit worried by this turn of events, or is everyone using Firefox or
Opera? Let us know
via the forums.
Want to comment? Please log in.