A security researcher using the handle porkythepig said in a post today on Milw0rm that the unpatched vulnerability rests in the HP Info Center, pre-installed software that provides system information and is shipped with all HP laptops, mostly its Compaq models.
The researcher posted proof-of-concept code for the attack.
“One of [the software's] ActiveX controls deployed by default by the vendor has three insecure methods that allow a malicious person to target the HP notebook machines for a remote code execution and remote registry manipulation-based attacks,” the researcher wrote.
If a victim is duped into visiting a malicious webpage, the attacker could take advantage of vulnerable ActiveX control – HPInfoDLL.dll – which could fire off the exploit.
“If the victim goes to a vulnerable website, the website can invoke the ActiveX control and possibly download a trojan or a backdoor or a keylogger on the machine,” Amol Sarwate, director of the vulnerability research lab at Qualys, told SCMagazineUS.com today.
About 15 different series of HP and HP Compaq notebooks are affected by the bug, according to the Milw0rm post. The machines are widely used in businesses, Sarwate said.
In lieu of a patch, users should set the kill-bit for the affected ActiveX control, according to an advisory today from Secunia, which rated the vulnerability “highly critical.” Users should also avoid visiting untrusted websites, Sarwate said.
An HP spokesperson did not respond to a request for comment.