17 September 2007, 10:36

Security vulnerability in HP ActiveX control

Security researchers from Goodfellas report that drivers for HP products install an unsafe ActiveX control. The HP All-in-One Series Web Release and HP Photo & Imaging Gallery Version 1.1 drivers are affected. A heap based buffer overflow can occur in at least the English version of the hpqutil.dll 2.0.0.138 file.

When the ListFiles() function is called by web pages which load the ActiveX control, the software apparently does not check the length of user parameters to the call. Excess data can cause a buffer overflow, resulting in the execution of injected malicious code. The bug is apparently due to defective components from Microsoft. According to the Goodfellas security advisory, the FindFile() function in the MFC42 and MFC71 MFC libraries reserves 592 bytes in the Unicode version and 320 bytes in the ASCII version for the first argument passed to the function, without checking that this buffer is sufficiently large for the actual parameter passed. If an application which uses this function does not check the size of the parameter itself, a buffer overflow may occur with the usual consequences.

According to the security advisory, the Argentinian security researchers have contacted Microsoft, which categorised the problem as non-urgent. A bugfix should, however, be available soon. It is not known whether updated or bug-fixed software for the affected HP ActiveX control is available. Users can set the kill bit for the control, which has ClassID F3F381A3-4795-41FF-8190-7AA2A8102F85, so that web pages can no longer load it in Internet Explorer. Because of the large number of defective ActiveX components which can be exploited to inject external code in Internet Explorer, users would be better advised to completely deactivate ActiveX for the internet zone.