Most HP, Compaq notebooks ship with code bugs

Nearly two dozen models plagued by vulnerabilities

Nearly two-dozen different laptop models sold by Hewlett-Packard ship with software plagued with multiple zero-day vulnerabilities, security researchers said Wednesday.

The bugs are in an ActiveX control included with the HP Info Center software preinstalled on both HP- and Compaq-branded laptops running Windows 2000, XP, Server 2003 and Vista, Symantec Corp. said in a note to clients of its DeepSight threat network. Info Center is a part of HP's Quick Launch Buttons application, which gives users one-click access to information and configuration details on the portables.

"One of its ActiveX controls deployed by default by the vendor has three insecure methods that allow a malicious person to target the HP notebook machines for a remote code execution- and remote registry manipulation-based attacks," said a researcher using the alias "porkythepig" in posts to both milw0rm.com and the Bugtraq security mailing list.

The posts spelled out the vulnerabilities and included proof-of-concept exploit code.

Symantec recommended that users set the "kill bit" on the ActiveX control until HP produces a patch; that process, however, requires editing the Windows registry, a daunting chore for most. A less effective defense would be to disable Active Scripting in Internet Explorer, Symantec added in the note, since "the primary way to exploit this vulnerability is via a malicious Web page."

Although porkythepig claimed that the defective ActiveX control has shipped with "almost every HP laptop model for [the past] few years," he claimed that 23 different notebooks had been confirmed as running the flawed control. The list included the HP 510 and 530; the Compaq 2710, 2510, 6120, 6220, 6230, 6325, 6510, 6715, 6910, 7300, 8220, 8230, 8440, 8510, 8710 and 9440; and the NC, NW and NX series notebooks.

The hacker also took a shot at HP in the messages on milw0rm.com and Bugtraq. "I think the company so deeply involved in security software patents war should take a bigger care about the users' security than taking profits from the rights to the invention of the circle," said porkythepig. "After all, what are the security software patents worth if it is the user who has the final word about their own software security?"

It was unclear what "patents war" porkythepig referred to, but HP recently settled with Web application security vendor Cenzic Inc. to cross-license multiple patents that had been at the heart of two lawsuits filed by SPI Dynamics Inc., a security testing tools developer acquired by HP in June. The settlement was announced by the two companies Oct. 1, and the lawsuits were immediately dropped.

HP was not available for comment on the ActiveX bugs disclosed by porkythepig.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?