Security leak in HP Software Update
Only last week, HP had to close a critical hole in software preinstalled on some of its notebooks. Now, further security leaks have been discovered in another preinstalled component. The ActiveX module in HP's Software Update, which is designed to automatically look for updated drivers and vendor software, apparently can be accessed from websites. Attackers can use specially crafted websites to exploit some insecure functions in the module in order to create files on affected systems or to destroy or read existing files.
Under the alias porkythepig, one of those who discovered the holes has published a security advisory describing the vulnerability in the function SaveToFile() used in the ActiveX module EngineRules.dll. Because it is marked as safe for scripting for websites, the function can be called in Internet Explorer. However, in Internet Explorer 7, the browser asks for permission twice before it executes the function. porkythepig writes that the ActiveX component has complete system access and can overwrite the first four bytes of files – even those required for booting the system. He also provides a demonstration in his advisory that should destroy Windows start files and damages the system so much that it can no longer be booted.
In an internal test, heise Security was able to reproduce the first of the described problems: new files can be stored. Malicious websites, for instance, could fill up your hard drive that way. On the other hand, we could not replicate the demolition of existing files. The version of HP Software Update that we tested (4.0.5) is the one that can be currently downloaded from HP's homepage; it apparently does not contain one of the vulnerabilities. The security advisory says that versions 220.127.116.11 of HP Software Update Client and version 1.0 of the rulesengine.dll are the vulnerable components. These versions may be preinstalled on HP systems and could contain both vulnerabilities.
Elazar Broad has reported another vulnerability in an ActiveX module employed in HP's Software Update. According to his security advisory, the component hpediag.dll allows arbitrary files and registry keys on the system to be read. The library is reportedly vulnerable in version 18.104.22.168; we were not able to replicate the problem with version 22.214.171.124 from the current HP Software Update.
The ActiveX modules have the following ClassIDs:
- RulesEngine.dll: 7CB9D4F5-C492-42A4-93B1-3F7D6946470D
- hpediag.dll, fileUtil: CDAF9CEC-F3EC-4B22-ABA3-9726713560F8
- hpediag.dll, regUtil: 0C378864-D5C4-4D9C-854C-432E3BEC9CCB
Until HP provides an update, affected users can protect themselves by setting the kill bit for the ActiveX module. Microsoft has provided instructions on how to do so.
- HP laptops Software Update tool vulnerability, security advisory by porkythepig
- HP eSupportDiagnostics hpediags.dll Information Disclosure, security advisory by Elazar Broad