Got an HP printer? Watch out....

["Richard M. Smith" <rms () computerbytesman com>]

Hi,

A few days ago, Brian Mariani reported on a security hole in an HP ActiveX
control that allows for system take-over from a malicous script on a Web
page.  The "safe-for-scripting" control includes a method for writing XML
files on the local hard drive(!).  This unsafe method can be used to drop a
malware downloader .HTA script in the "All Users" start-up folder that gets
run the next time a system is rebooted.

More info about the bug is available here:

   http://www.securityfocus.com/archive/1/472384

I actually found the same bug about 18 months ago and reported the problem
right away to HP.  It appears HP hasn't issued a security patch in all this
time.  I believe this buggy control is installed by most HP printer support
software shipped since 2001 or 2002.

Turning on the kill bit for this control is a wise move.

For reasons I don't quite understand yet, IE7's ActiveX opt-in feature
didn't stop Brian's POC demo from running on my home system.  More
investigation is required.

Richard M. Smith

P.S.  There are other HP ActiveX controls with similar security problems.  
 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.