Hewlett Packard faces a new security hazard as their Software Update Tool is found to have a fairly serious security hole. The double threat can lead to remote command execution or data leakage, both of which are huge issues for a company like Hewlett Packard.

Since many people who may not be very technologically aware trust Hewlett Packard as a brand, they are more likely to have their updates set to automatic. This poses a real threat to their security, especially the remote access flaw.

The offending piece of code is an Active-X module, specifically the HPeDiag ActiveX control module. This is what checks for updates and keeps your Hewlett Packard software up to snuff. Activie-X is well known to cause security issues among the technologically savvy, but most home users aren’t aware of the issues with it.

The security flaw was discovered as far back as March, and is yet to be fixed at the time of this article. Instead of closing the hole on their end, or advising users not to turn on Active-X plugins, Hewlett Packard has posted a work around on their web site, here. A band-aid solution that does no service to their loyal customers.

Security firms assessing the issue and other like it with other companies that use Active-X have been telling users across the board to leave Active-X plugins turned off and not to authorize any software that uses Active-X to update your machine. Users with Hewlett Packard computers or peripherals using the software update are vulnerable to this flaw, and it is highly recommended that you visit the Hewlett Packard site and implement the work around, then turn off Active-X.

Related:

Entry was posted on Tuesday, April 29th, 2008 at 4:16 pm under Security.

Read more entries by Leslie Poston.
Stumble It!