Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Hewlett-Packard laptops ship with security flaw -- no extra charge

On December 27, Hewlett-Packard issued an alert stating that a zero-day flaw in their Quick Launch Button software -- installed by default at the factory -- may make it possible for an attacker to gain complete control of your computer. This flaw is present in 82 models of laptops manufactured by HP over the last few years.

This vulnerability affects Hewlett-Packard Compaq consumer and business notebooks running Windows and HP Quick Launch Button (QLB) software v6.3 or earlier. The QLB software allows one-touch key controls for users. It also contains an ActiveX control identified as HPInfoDLL.dll, which is marked as "Safe for Scripting" by default. This means the ActiveX control has the privileges needed to execute any scripts in your web browser.

An independent security researcher identified as "porkythepig" originally discovered this QLB vulnerability a few weeks earlier. He reported that the QLB ActiveX control contains three insecure ActiveX methods that an attacker could exploit in a variety of ways. If an attacker tricked you into visiting a malicious web site, he could exploit these insecure methods to execute code on your machine, modify your system registry, or even open a remote command shell -- giving him backdoor access to your machine, and potentially full control of it.

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.