Multiple Vulnerabilities in HP Quick Launch Button software

AV08-001
Date: 02 January 2008

Purpose

The purpose of this advisory is to raise awareness of multiple remotely exploitable vulnerabilities in the Info Center component of HP Quick Launch Button software package.

Assessment

Three critical vulnerabilities have been discovered in the HP Info Center software. HP Info Center, part of the HP Quick Launch Buttons software, is included in default installations of various HP Notebooks and Tablet PCs. HPInfoDLL.dll, an ActiveX control component of HP Info Center is susceptible to several vulnerabilities, if successfully exploited, could result in remote code execution, remote system registry access (read/write), or shell command execution.

Exploitation is achieved by luring the user into accessing a malicious URL designed to exploit these vulnerabilities. Continued exploitation is achieved without further user interaction or knowledge of infection.

Vulnerable Products

HP Info Center Versions prior to and including 1.0.1.1 (HP Compaq PCs and Notebooks running Microsoft Windows operating system with HP Quick Launch Buttons version 6.3 and earlier installed)

Note: Removing or un-installing Quick Launch Button software does not eliminate the vulnerability. HP suggests that all HP notebook PCs should have the applicable security patch applied.

Suggested action

CCIRC recommends that administrators test and install the following vendor supplied patches and product upgrades at the earliest opportunity:

For HP Compaq nc, nx, nw and tc Series business notebook PC models (for example, nc6230, nw8440) and HP 500, 510, 520 and 530 business notebook PC models. Download and install HP SoftPaq SP38181:

• ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38181.html (information)
• ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38181.exe (patch)

For HP Compaq business notebook PC model numbers ending in the letter b, p, s or w (for example, 6515b, 6910p, 8510w). Download and install HP SoftPaq SP38171:

• ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38171.html (information)
• ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38171.exe (patch)

For HP Pavilion and Compaq Presario consumer notebook PCs, download and install HP SoftPaq SP38166:

• ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.html (information)
• ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.exe (information)

References

• HP Tech support
• Securityfocus.com
• Common Vulnerabilities and Exposures
• French Security Incident Response Team

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca