Holes in HP Software Update threaten data leakage

HP's Software Update Tool has been found to contain flaws which can lead to remote code execution or the leakage of sensitive information stored on a PC.

The offending component of the HP Software Update application is the HPeDiag ActiveX control, which checks for and downloads security, firmware, software and driver updates.

The flaw affects any HP PCs, or any PC connected to HP scanners, printers and cameras that contain a version of the update.

Tan Chew Keong from Vuln.sg, who advised HP of the flaw in March, said the vulnerable ActiveX controls are installed as part of HP Software Update version 3.0.2.991 when the user installs the Windows software suite for HP colour LaserJet 2820/2840.

However, according to HP's security advisory, the flaw affects a larger set of products, including scanners, printers, cameras and PCs that use HP Software Update. Updates v4.000.009.002 or earlier running on Windows may be exposed to the vulnerability but should be resolved for PCs with update v4.000.010.008 or higher.

"A successful exploit requires that the user is tricked into visiting a malicious Web site using IE6 or earlier. If the user uses IE7, he must first be convinced into allowing the ActiveX control to run," Tan said.

HP has not clarified in its advisory which versions of Internet Explorer are vulnerable to such an attack; however, it does explain how to resolve the problem.

HP has not advised customers to disable ActiveX in Internet Explorer, however USCert and Tan recommend doing so.

The flawed application is the second threat that HP has exposed its customers to this month. HP previously shipped malware-infected USB drives for its ProLiant servers.

HP was unable to respond to ZDNet.com.au's questions at the time of writing.

Advertisement

Print feature brought to you by Adobe

Talkback 1 comments

    Is any of that junk needed anyways? Anonymous -- 30/04/08

    I've never understood HP, Toshiba, etc. requiring 10s or 100s of megs of downloads just to print to a little printer or whatever.

    Some of this software they put on your computer could be spyware from the company itself.
    Once I called up HP tech support about why it crashed while installing my printer software. I was going thru the proceedure with the telephone tech and then I started up the IE browser to look something up, and he interrupts me and says it looks like IE has started, please restart the installation procedure again. I didn't mention anything about IE to him.

    I ended up fixing my problem, it was because the HP installer was trying to access a private drive that didn't allow even admin access to, which is wierd too cause the drive had nothing to do with the installation.

Latest Videos

Blogs

  • Darren Greenwood Telecom NZ savings damage prospects
    If Telecom NZ wants to have any of the NZ$1.5 billion the government intends to spend on its new broadband network, it had better think long and hard before offshoring 1500 jobs.
  • Array iiNet: The whys and what nows
    Last week the Federal Court ruled that internet service providers are not responsible for copyright violation by their customers. This is an important decision not just for iiNet, which spent around $4 million defending the case, but for all ISPs in Australia and, indeed, globally.
  • Array Govt, hurry up with releasing data
    A programmer scraped data from the My School website to make some really cool heat maps showing regions of smart schools — no thanks to the government, which didn't supply the data in any useful kind of format.
  • More blogs »

Tags

  1. 104 articles are tagged with acma
  2. 61 articles are tagged with afact
  3. 1291 articles are tagged with apple
  4. 525 articles are tagged with australia
  5. 1326 articles are tagged with broadband
  6. 89 articles are tagged with censorship
  7. 210 articles are tagged with china
  8. 686 articles are tagged with cio
  9. 298 articles are tagged with conroy
  10. 146 articles are tagged with contract
  11. 399 articles are tagged with copyright
  12. 18 articles are tagged with court case
  13. 13 articles are tagged with cowdroy
  14. 142 articles are tagged with defence
  15. 115 articles are tagged with filter
  16. 1066 articles are tagged with google
  17. 22 articles are tagged with govt
  18. 1317 articles are tagged with ibm
  19. 249 articles are tagged with iinet
  20. 12 articles are tagged with iitrial
  21. 6 articles are tagged with ipad
  22. 746 articles are tagged with jobs
  23. 8 articles are tagged with judgement
  24. 403 articles are tagged with laptop
  25. 12 articles are tagged with microsoft
  26. 1140 articles are tagged with mobile
  27. 366 articles are tagged with mobile phone
  28. 244 articles are tagged with national broadband network
  29. 444 articles are tagged with nbn
  30. 22 articles are tagged with nbn co
  31. 225 articles are tagged with new zealand
  32. 208 articles are tagged with nsw
  33. 905 articles are tagged with optus
  34. 32 articles are tagged with parliament
  35. 333 articles are tagged with piracy
  36. 160 articles are tagged with police
  37. 2665 articles are tagged with security
  38. 616 articles are tagged with server
  39. 68 articles are tagged with south australia
  40. 195 articles are tagged with stephen conroy
  41. 733 articles are tagged with storage
  42. 134 articles are tagged with tasmania
  43. 74 articles are tagged with telecom nz
  44. 2493 articles are tagged with telstra
  45. 147 articles are tagged with tender
  46. 66 articles are tagged with trial
  47. 193 articles are tagged with victoria
  48. 6 articles are tagged with whole-of-government
  49. 980 articles are tagged with wireless
  50. 18 articles are tagged with xt

Back to top

Featured