X
Tech

Holes in HP Software Update threaten data leakage

HP's Software Update Tool has been found to contain a flaw which can lead to remote code execution or the leakage of sensitive information stored on a PC.
Written by Liam Tung, Contributing Writer

HP's Software Update Tool has been found to contain flaws which can lead to remote code execution or the leakage of sensitive information stored on a PC.

The offending component of the HP Software Update application is the HPeDiag ActiveX control, which checks for and downloads security, firmware, software and driver updates.

The flaw affects any HP PCs, or any PC connected to HP scanners, printers and cameras that contain a version of the update.

Tan Chew Keong from Vuln.sg, who advised HP of the flaw in March, said the vulnerable ActiveX controls are installed as part of HP Software Update version 3.0.2.991 when the user installs the Windows software suite for HP colour LaserJet 2820/2840.

However, according to HP's security advisory, the flaw affects a larger set of products, including scanners, printers, cameras and PCs that use HP Software Update. Updates v4.000.009.002 or earlier running on Windows may be exposed to the vulnerability but should be resolved for PCs with update v4.000.010.008 or higher.

"A successful exploit requires that the user is tricked into visiting a malicious Web site using IE6 or earlier. If the user uses IE7, he must first be convinced into allowing the ActiveX control to run," Tan said.

HP has not clarified in its advisory which versions of Internet Explorer are vulnerable to such an attack; however, it does explain how to resolve the problem.

HP has not advised customers to disable ActiveX in Internet Explorer, however USCert and Tan recommend doing so.

The flawed application is the second threat that HP has exposed its customers to this month. HP previously shipped malware-infected USB drives for its ProLiant servers.

HP was unable to respond to ZDNet.com.au's questions at the time of writing.

Editorial standards