Severity: High
5 June, 2008
Summary:
- This vulnerability affects: Hewlett-Packard desktop and laptop computers running Windows
- How an attacker exploits it: By luring one of your users to a maliciously crafted website, where a drive-by download occurs
- Impact: The attacker can take complete control of your user’s computer
- What to do: Either set the kill bit for the vulnerable ActiveX control, or update your HP Instant Support software to version 1.0.0.24
Exposure:
Hewlett-Packard (HP) is the world’s largest PC dealer. HP has sold millions of desktop and laptop computers, and according to industry observers, accounts for as much as 20 percent of the PC market. Somewhere among your users, it is probable that an HP computer regularly connects to your network. If you have no HP computers on your network, this security alert does not pertain to you.
Severity: High
5 June, 2008
Summary:
- This vulnerability affects: Hewlett-Packard desktop and laptop computers running Windows
- How an attacker exploits it: By luring one of your users to a maliciously crafted website, where a drive-by download occurs
- Impact: The attacker can take complete control of your user’s computer
- What to do: Either set the kill bit for the vulnerable ActiveX control, or update your HP Instant Support software to version 1.0.0.24
Exposure:
Hewlett-Packard (HP) is the world’s largest PC dealer. HP has sold millions of desktop and laptop computers, and according to industry observers, accounts for as much as 20 percent of the PC market. Somewhere among your users, it is probable that an HP computer regularly connects to your network. If you have no HP computers on your network, this security alert does not pertain to you.
Yesterday, researcher Dennis Rand of the Danish security firm, CSIS, announced several major security flaws in the version of ActiveX that HP pre-installs on its computers. HP’s version of ActiveX is unique in that it contains a plug-in which causes the user’s computer to automatically connect to HP’s Instant Support service for updates of HP software, BIOS, and other Windows drivers. The ActiveX plug-in also installs itself if a user visits HP’s web page to access software updates for a wide range of HP products. This means that any well-maintained HP computer is likely to contain the vulnerable software. Note that the vulnerabilities can be exploited even if Instant Support is not in use.
Rand’s write-up (PDF) details eight ways in which an attacker could exploit flaws in HP’s ActiveX to take control of a user’s computer. Most of these flaws are severe enough that a successful attack requires very little interaction on the part of the victim. If the attacker can lure the victim to a maliciously crafted web page, the vulnerabilities can be exploited the moment the victim arrives, even if the victim doesn’t click anything on the page itself (an attack known as a drive-by download). The specific functions in HP’s ActiveX which are vulnerable are:
- AppendStringToFile
- ExtractCab
- GetFileTime
- MoveFile
- RegistryString
- DownloadFile
- StartApp
- DeleteSingleFile
The various vulnerabilities include buffer overflows, the ability to execute code of the attacker’s choosing, and the ability for the attacker to write a file to anywhere the user can. On a severity scale of 1 to 10, with 10 being worst, many of these vulnerabilities rate at least 9. It is also possible for an attacker to exploit these vulnerabilities through SQL injection or HTML injection techniques.
Incidentally, this is not the first time HP has installed dangerous flaws onto their own products. Very late in 2007, we wrote about vulnerabilities in their Quick Launch Button software, installed on 82 different HP laptop models.
Solution Path:
The very software that is the problem could also be part of the answer. HP recommends updating your Instant Support software, especially if you have version 1.0.0.22 or earlier. To install HP Instant Support version 1.0.0.24 or later, visit the Instant Support Professional edition web site and choose to launch an online diagnostic session.” According to our correspondence with Dennis Rand, you must manually request the update — it will not patch itself automatically.
Alternatively, if you don’t use Instant Support and don’t expect to use it, you can modify the vulnerable HP software so that it cannot execute. Doing so involves setting the kill bit for the ActiveX control which has the Class Identifier (CLSID) of 14C1B87C-3342-445F-9B5E-365FF330A3AC. For more details, see HP’s Support Document and cross-reference it with the Microsoft Knowledge Base article, “How to stop an ActiveX control from running in Internet Explorer.”
For All Users:
Because of the severity of the flaws in HP’s ActiveX, and the nature of web sessions (attack code from a malicous web site is technically data that your user requested, which can allow the data to pass checkpoints that would resist an attack initiated externally), your safest response is to take either of the actions listed under “Solution Path.” These are severe security holes and proof of concept code has been publicly posted. An attacker does not need much sophistication to “weaponize” the provided code, and we expect to see these flaws exploited in the wild almost immediately. We urge you to address these flaws at your earliest opportunity.
Status:
Hewlett-Packard released Instant Support 1.0.0.24, fixing this issue.
References:
- CSIS Security Research and Intelligence Advisory (PDF)
- Hewlett-Packard Support Document HPSBMA02326
- Microsoft Knowledge Base article, “How to stop an ActiveX control from running in Internet Explorer.”