It’s a big blow to Hewlett-Packard/Compaq: A hacker named “porkythepig” published an online report of a bug and consequent hacks that can affect nearly every HP/Compaq laptop.

According to porkythepig’s post, the Software Update bugs let an attacker corrupt Windows’ kernel files, making the laptop unbootable, or with a little more effort, allow hacks that would result in a PC hijack or malware infection. In either case, a drive-by attack could be conducted by feeding users an e-mail message with a link to a malicious Web site.

“Every HP notebook machine containing the HP Software Updates application is vulnerable,” claimed porkythepig. “It is possible that the vulnerable machine model list disclosed by the vendor as a confirmation to the previous issue concerning HP laptops, [the] HP Info Center case, will be similar in this case.”

Here’s the painful part:

The researcher said he had tested the exploit code on Windows 2000, XP, Server 2003 and Vista, and that the vulnerabilities pose a risk to any user with either Internet Explorer 6 (IE6) or IE7 on the PC. Nor will HP be able to use the down-and-dirty fix it deployed last week, said porkythepig. After he revealed several bugs in HP’s Info Center a week ago, HP issued an update that simply disabled the vulnerable software.

“Simple disabling of the vulnerable control by the vendor’s patch, like in the other HP software vulnerability case, HP Info, [could still] result in the machine['s] software update system [being] compromised, and would leave the user vulnerable to future security issues,” porkythepig said in the milw0rm.com write-up.

HP did not reply to e-mailed requests for confirmation and comment.

I keyed in on that it’s Internet Explorer that is the hub of the risk. Yeah, that Internet Explorer crapware– the browser that protects the right to show ads!

The worst thing HP can do is say nothing. Say something, even if it’s an “oops” or “we’ll look into this right away.”

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]