Contact Us Today! (215) 853-2266

Bardissi Enterprises Blog

Bardissi Enterprises has been serving the Hatfield area since 2000, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Hewlett-Packard ActiveX Flaws Let Attackers Control HP Computers

Severity: High

5 June, 2008

Summary:

  • This vulnerability affects: Hewlett-Packard desktop and laptop computers running Windows
  • How an attacker exploits it: By luring one of your users to a maliciously crafted website, where a drive-by download occurs
  • Impact: The attacker can take complete control of your user’s computer
  • What to do: Either set the kill bit for the vulnerable ActiveX control, or update your HP Instant Support software to version 1.0.0.24

Exposure:

Hewlett-Packard (HP) is the world’s largest PC dealer. HP has sold millions of desktop and laptop computers, and according to industry observers, accounts for as much as 20 percent of the PC market. Somewhere among your users, it is probable that an HP computer regularly connects to your network. If you have no HP computers on your network, this security alert does not pertain to you.

Severity: High

5 June, 2008

Summary:

  • This vulnerability affects: Hewlett-Packard desktop and laptop computers running Windows
  • How an attacker exploits it: By luring one of your users to a maliciously crafted website, where a drive-by download occurs
  • Impact: The attacker can take complete control of your user’s computer
  • What to do: Either set the kill bit for the vulnerable ActiveX control, or update your HP Instant Support software to version 1.0.0.24

Exposure:

Hewlett-Packard (HP) is the world’s largest PC dealer. HP has sold millions of desktop and laptop computers, and according to industry observers, accounts for as much as 20 percent of the PC market. Somewhere among your users, it is probable that an HP computer regularly connects to your network. If you have no HP computers on your network, this security alert does not pertain to you.

Yesterday, researcher Dennis Rand of the Danish security firm, CSIS, announced several major security flaws in the version of ActiveX that HP pre-installs on its computers. HP’s version of ActiveX is unique in that it contains a plug-in which causes the user’s computer to automatically connect to HP’s Instant Support service for updates of HP software, BIOS, and other Windows drivers. The ActiveX plug-in also installs itself if a user visits HP’s web page to access software updates for a wide range of HP products. This means that any well-maintained HP computer is likely to contain the vulnerable software. Note that the vulnerabilities can be exploited even if Instant Support is not in use.

Rand’s write-up (PDF) details eight ways in which an attacker could exploit flaws in HP’s ActiveX to take control of a user’s computer. Most of these flaws are severe enough that a successful attack requires very little interaction on the part of the victim. If the attacker can lure the victim to a maliciously crafted web page, the vulnerabilities can be exploited the moment the victim arrives, even if the victim doesn’t click anything on the page itself (an attack known as a drive-by download). The specific functions in HP’s ActiveX which are vulnerable are:

  • AppendStringToFile
  • ExtractCab
  • GetFileTime
  • MoveFile
  • RegistryString
  • DownloadFile
  • StartApp
  • DeleteSingleFile

The various vulnerabilities include buffer overflows, the ability to execute code of the attacker’s choosing, and the ability for the attacker to write a file to anywhere the user can. On a severity scale of 1 to 10, with 10 being worst, many of these vulnerabilities rate at least 9. It is also possible for an attacker to exploit these vulnerabilities through SQL injection or HTML injection techniques.

Incidentally, this is not the first time HP has installed dangerous flaws onto their own products. Very late in 2007, we wrote about vulnerabilities in their Quick Launch Button software, installed on 82 different HP laptop models.

Solution Path:

The very software that is the problem could also be part of the answer. HP recommends updating your Instant Support software, especially if you have version 1.0.0.22 or earlier. To install HP Instant Support version 1.0.0.24 or later, visit the Instant Support Professional edition web site and choose to launch an online diagnostic session.” According to our correspondence with Dennis Rand, you must manually request the update — it will not patch itself automatically.

Alternatively, if you don’t use Instant Support and don’t expect to use it, you can modify the vulnerable HP software so that it cannot execute. Doing so involves setting the kill bit for the ActiveX control which has the Class Identifier (CLSID) of 14C1B87C-3342-445F-9B5E-365FF330A3AC. For more details, see HP’s Support Document and cross-reference it with the Microsoft Knowledge Base article, “How to stop an ActiveX control from running in Internet Explorer.”

For All Users:

Because of the severity of the flaws in HP’s ActiveX, and the nature of web sessions (attack code from a malicous web site is technically data that your user requested, which can allow the data to pass checkpoints that would resist an attack initiated externally), your safest response is to take either of the actions listed under “Solution Path.” These are severe security holes and proof of concept code has been publicly posted. An attacker does not need much sophistication to “weaponize” the provided code, and we expect to see these flaws exploited in the wild almost immediately. We urge you to address these flaws at your earliest opportunity.

Status:

Hewlett-Packard released Instant Support 1.0.0.24, fixing this issue.

References:

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, 23 December 2024
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Blog Archive

Recent Comments

Tip of the Week: Which Headphones are Right for Your Needs?
23 April 2018
I will recommend Plantronics Backbeat Pro 2 SE Noise cancelling Headset with it's Great features.
Gamification: Make Business Fun for Everyone
27 January 2017
The world is based on the games. There are many types of games as per the aussie essay writing servi...
Let's Talk Tablets
12 January 2017
The concept of tablet is far better than that of PC because you can bring them with you everywhere a...
Tip of the Week: Tweak Your Workday in These 4 Ways and See Major Results
12 January 2017
The only thing will I will say regarding this blog is that it is very helpful at least for me. As I ...
WatchGuard Releases Version 10.2.7 for WSM, Edge, Fireware, and Fireware Pro
23 December 2016
I really needed to know about the fireware but i was confused that where can i find information abou...