PRWeb The Leader Press Release Distribution
See How PRWeb Works

We're here to help 1-866-640-6397

Login Create Free Account

Why PRWeb Customer Examples Pricing Tools & Tips

All Press Releases for June 19, 2008 Subscribe to this News Feed    
 

Multiple Vulnerabilities in HP Software

Hewlett-Packard (HP) is the world´s largest PC dealer. According to IDC, HP shipped 14.7 million units worldwide, a 23.3 percent year-over-year growth and a 19 percent market share.

(PRWEB) June 19, 2008 -- PC´s and laptops from HP are often shipped with preinstalled software running on Microsoft Windows. The software is designed so the end-user can keep drivers and HP software automatically updated. This is done through a ActiveX plugin for Microsoft Internet Explorer.

CSIS have discovered multiple high-risk vulnerabilities in several parts of that specific software. The affected component are found preinstalled on a broad range of HP equipment but are also installed when a end user visits HP webpage in order to access software updates such as applications, drivers and firmware for multiple HP products.

We have discovered eight different vulnerabilities of which five should be considered highly critical since they allow remote code execution.

At least five of these vulnerabilities have been confirmed to work in a typical drive-by scenario. All it takes to exploit is to lure a user into visiting a hostile and specifically crafted website. The attack could also be done through SQL and HTML injection. This would allow, if the system is found vulnerable, to run arbitrary code and take complete control of the system or at least with the privileges of the logged on user. In order for this scenario to work it would only require one of the affected ActiveX objects to be installed and Active scripting to be enabled in Microsoft Internet Explorer, which it is by default.

The vulnerability was discovered and reported by Dennis Rand from CSIS Security Group.

HP has released an advisory and update to address these vulnerabilities.

HP Instant Support HPISDataManager.dll Running on Windows, Remote Execution of Arbitrary Code http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01422264

Technical advisory with PoC can be downloaded here:
http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf

###

OPTIONS
Printer Friendly Version
Download PDF Version
Download Reader Version
Email this story to a colleague
CONTACT INFORMATION
Dennis Rand
CSIS Security Group
+45 88136030
Email us Here
ATTACHED FILES

There are no multimedia files attached to this release. If this is your release, you may add images or other multimedia files through your PRWeb News Management Console.
ABOUT PRESS RELEASES
If you have any questions regarding information in these press releases please contact the company listed in the press release. Please do not contact PRWeb. We will be unable to assist you with your inquiry. PRWeb disclaims any content contained in these release. Our complete disclaimer appears here.
 

© Copyright 1997-2009, Vocus PRW Holdings, LLC.
Vocus, PRWeb and Publicity Wire are trademarks or registered trademarks of Vocus, Inc. or Vocus PRW Holdings, LLC.

About PRWeb | News about PRWeb | Contact Us | Terms of Service | Privacy Policy | Copyright