If you own an HP laptop and haven't blitzed the default install, now might be the time to do so. A post to the milw0rm.com vulnerability database
contains details of a vulnerability in the software supplied by HP which can allow remote users to run arbitrary executables on your pride and joy.
The problem lies with the HP Info Center, an ActiveX based tool provided by HP for support purposes. Although the software is designed to help users fix problems they may have, it seems that it has a few bugs which could have exactly the opposite effect.
The Info Center ActiveX control is marked by default as “Safe for Scripting”, which means it is tied into Internet Explorer and has full system access.
Because the flaw lies in the HP Info Center package and not the host operating system, your system could be vulnerable whether you're running any version of Windows and even if you're fully up to date with patches and service packs.
All that is needed for a cracker to execute code on your system is for you to be lured to a malicious link in Internet Explorer – once you've clicked, your system is theirs. Users of alternative browsers such as Firefox
are not thought to be at risk, especially if you use the excellent NoScript
HP has yet to comment on the vulnerability, so to protect your systems it might be a good idea to switch your browser to one that doesn't use ActiveX until such time as they acknowledge the issue and release a fix.
If you're feeling technical, milw0rm.com have all the juicy details
Any HP users out there feeling a bit worried by this turn of events, or is everyone using Firefox or Opera
? Let us know via the forums