Monday, December 24, 2007

Cue Security Spotlight 1: HP Compaq Vulnerabilities + Patches

Lavie still prefers her Compaq Presario V2575US notebook over the other computers in the Valca household.

It is thin, light, and doesn't feel like a furnace-blower has kicked on, unlike the Gateway MT6451 notebook.

A Rose by any other name...

Recently a series of security advisories were posted regarding a flaw in the HP Info Center software that is pre-installed on many HP laptops.  It made the news in a few web information outlets but definitely isn't as "sexy" a security story as, say a Storm Worm email attack variant falsely presenting a strip-tease decked out in Holiday cheer.

Because many consumers (and corporate/SOHO IT shops) might only see and register the "HP" reference and have a "Compaq" notebook, they might fail to associate the two and pay attention.

Unfortunately, both HP and HP Compaq notebooks are impacted.  So you need to examine this carefully and respond accordingly.  (Unless of course you or your IT group removed the software during system setup.)

The Basics (x2)

A bit lost in all this, is the fact that there are actually two HP and HP Compaq vulnerabilities.

The first impacts HP and HP Compaq notebooks/laptops.  Malicious code can be made to run via an ActiveX flaw in the HP Info Center.  This is accessed from one of the quick-launch buttons installed by HP.  It seems to work on XP SP2 systems that the software comes installed on, but (so far) not on Vista systems.

To find out whether it is installed on your laptop, check the Properties information for C:/Program/Hewlett-Packard/HP Info Center/HPInfoDLL.dll .

The second might be more widespread. HP and HP Compaq systems usually ship with the "HP Software Update" application installed by default.  This application allows for support and updating of HP's own branded and installed software and custom drivers on a system.  Generally this is a Good Thing to help supplement the Windows Updates on your system.

It uses an ActiveX control to do its magic, and this is where the vulnerabilities exist.

By jumping to a malicious website (via web-surfing or vectored from an email link) code can be pushed which will ultimately either corrupt the operating system's kernel files, or lead to a malware infection.  Researchers have tested the code successfully on Windows 2000, XP, Server 2003, and Vista systems that are running Internet Explorer versions 6 or 7.  Which is just about all of them.

Heise Security did it's own tests and found that they were able to use the exploit to copy files to a vulnerable system...however they could not destroy existing files.

Solutions:

HP has offered half of a solution to the first vulnerability for the notebooks..

HP Notebook PCs -  Quick Launch Button Software or HP Info Center May Allow Malicious Person to Target the PC - HP Bulletin notice for Softpaq 38166.

It curiously doesn't say which systems (XP, Vista, 2000) that you should apply this patch to, but I guess if it is installed on your notebook system, better get patching.

Download and install SP38166.exe from the Compaq FTP site.  All this patch really does is to disable the software until a true "fix" is released by HP.  Don't try to uninstall the software to fix it, as HP says an uninstall leaves the vulnerable component still on the system. (Which begs the question on why an uninstall doesn't actually un-install itself...)

While poking around I also found this SoftPaq noted; SP38181.  It also addresses a security vulnerability in other HP notebooks in the HP Info Center.

To date of this post, HP hasn't (publicly) offered a solution to the second vulnerability for it's desktop and notebook fleets with the "Software Update" attack vector. 

Heise Security was recommending disabling it yourself using this information they provided:

The ActiveX modules have the following ClassIDs:

  • RulesEngine.dll: 7CB9D4F5-C492-42A4-93B1-3F7D6946470D
  • hpediag.dll, fileUtil: CDAF9CEC-F3EC-4B22-ABA3-9726713560F8
  • hpediag.dll, regUtil: 0C378864-D5C4-4D9C-854C-432E3BEC9CCB

Until HP provides an update, affected users can protect themselves by setting the kill bit for the ActiveX module. Microsoft has provided instructions on how to do so.

After a LOT of web-digging I did track down this non-public announcement from the Hewlett-Packard Company, HP Software Security Response Team on BugTraq:

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Any PC with HP Software Update running on Windows

BACKGROUND
For a PGP signed version of this security bulletin please write to: security-alert (at) hp (dot) com [email concealed]

HP Software Update is an HP application which checks for and downloads updates for

HP products firmware, software, and drivers. It can also help update the security and functionality of HP products.

HP Software Update may be installed on a PC as part of the software supplied with certain HP PCs, printers, scanners, or cameras.

Customers can also download the HP Software Update for installation from the HP Web Site.

RESOLUTION

HP has provided the following procedure to resolve this vulnerability:

Use HP Software Update

1. In Windows click Start ->All Programs ->HP ->HP Update
or
click Start ->All Programs ->HP ->HP Software Update

2. Click Next. HP Software Update will begin.

3. Click Next to begin the installation. Click Continue or OK if prompted by Windows to continue.

4. The HP Update installer will appear. Click Continue or OK if prompted by the installer to continue.

5. Click Finish to close HP Software Update when prompted.

Notes:

1. If HP Software Update is reinstalled using the recovery solution, the procedure above must be repeated.

2. On a PC where HP Software Update is present, the procedure above must be followed even if HP Software Update is never used.

History:
Version:1 (rev.1) - 21 December 2007 Initial release

That finally led me to this solution offered by HP after A LOT of wicked site diving on HP (can they be any more unclear about notifying their customers than this?).

Curiously it is offered only for HP notebooks....so I would probably try the "internal" method listed above first as I can't yet be certain they are the same things.  Confusingly, this one is named version 1.00 A while older versions are in the 4.x.x series.

I might run Wireshark on our own HP Compaq notebook when I try the internal update method to see if it provides any more SoftPaq numbers or information.

Whew.

--Claus

No comments: