Security update for critical vulnerability in HP notebooks
HP has released an interim update (SP38166.exe) for the critical vulnerability in the HP Info Center software pre-installed on many of its laptop models. The update deactivates the vulnerable software until a proper patch becomes available. Attackers may exploit the vulnerability to infect laptops with malware when a specially crafted web page is visited using Internet Explorer 6 or 7. Info Center is a component of the generally factory-installed HP Quick Launch Buttons. According to HP, de-installing the Quick Launch Buttons does not resolve the problem, as the vulnerable component would still remain on the laptop.
On corporate notebooks, software configurations may vary and Info Center may not be installed even if the Quick Launch Buttons are available. Details about whether the software is installed, and if so which version is on a laptop can be found in the C:/Programme/Hewlett-Packard/HP Info Center/HPInfoDLL.dll file.
According to the manufacturer's advisory, the affected configurations are HP Compaq Business notebooks with Quick Launch Buttons version 6.3 and earlier, as well as HP Pavilion and Compaq Presario notebooks with Quick Launch Buttons versions 6.0 to 6.3. A complete listing of affected systems can be found in the HP Quick Launch Buttons Critical Security Update documentation. HP recommends that all affected users install the update as soon as possible.
- Backdoor in HP Compaq laptops, heise Security news