Exploit Found to Brick Most HP and Compaq Laptops

Ian Lamont writes "A security researcher calling himself porkythepig has published attack code that can supposedly brick most HP and Compaq laptops. The exploit uses an ActiveX control in HP's Software Update. It would 'let an attacker corrupt Windows' kernel files, making the laptop unbootable, or with a little more effort, allow hacks that would result in a PC hijack or malware infection.' The same researcher last week outlined a batch of additional vulnerabilities in HP and Compaq laptops, for which HP later issued patches."

Re:Argh

[a_nonamiss]

In theory, the exploit could probably be used to flash a bad BIOS image or something, so maybe the headline is possible if not entirely correct...

Okay, "bricked" was the wrong word...but!

[erroneus]

The story is yet another illustration of how dangerous ActiveX is. This is not the first example and it probably won't be the last. So many other things depend on or otherwise utilize activex... some are highly security sensitive like in the case of ADP. I cannot understand why, after all these years of examples why Microsoft hasn't recalled the use of the technology as inherently dangerous. But really, it's worse than that. It breaks the premise of the web. The use of the web is not supposed to be limited to a certain hardware specification under a certain software configuration... this is irrelevant, of course, to the dangers pushed upon the users who are often required to use it.

Re:Argh

[obeythefist]

Ahh, it's not at all, that reminds me of the old joke:

A couple goes on vacation to a fishing resort. The husband likes to fish at the crack of dawn. The wife likes to read. One morning the husband returns after several hours of fishing and decides to take a short nap. Although she isn't familiar with the lake, the wife decides to take the boat. She motors out a short distance, anchors, and continues to read her book. Along comes the game warden in his boat. He pulls up alongside her and says,"Good morning, Ma'am, what are you doing?" "Reading my book," she replies, thinking isn't that obvious? "You're in a restricted fishing area," he informs her. "But officer, I'm not fishing. Can't you see that?" "Yes, but you have all the equipment. I'll have to take you in and write you up." "If you do that, I'll have to charge you with rape," says the woman. "But I haven't even touched you," says the game warden. "That's true, but you do have all the equipment."

The capability does not equal the crime, thankfully, so while you might put the laptop in a position it's brickable, it's not. Also, with dual bios's, bricking something like a laptop requires quite a bit of effort!

Re:Two points about the article's headline.

[abigor]

Apologies for the possibly stupid question, but how are you booting OS X on an HP laptop?

Agree with both points.

[argent]

1) Bricked is the wrong word.

2) This hilights the dangers of any holes in a sandbox. The only secure way to design a sandbox is for there to be no mechanism from inside the sandbox to request access outside it... whether by installing a plugin, executing an external application, or otherwise elevating privileges. Even if the request is normally denied, the existince of that mechanism itself creates a new class of attacks.

The corollary to point two is that ActiveX is not just a security hole, it's a different *kind* of security hole.

On the other hand, all three of the most common browsers have a mechanism to request access outside the sandbox. None of them are as bad as ActiveX, but they're all unnecessary.

* Any browser on Windows is subject to URI quoting attacks on helper applications, due to the lack of a guaranteed quote-safe command line and the use of a single set of helper bindings for trusted and untrusted sources.

* LaunchServices on OS X duplicates the second problem as well.

* Firefox and Safari both allow web pages to request plugins be installed: XPI in Firefox and Dashboard plugins in Safari on OSX. They both wrap these interfaces in multiple levels of "approval dialogs", but my experience is that there are too many people who can be relied upon to eventually hit "go ahead and infect me" by reflex.

* Safari and Internet Explorer can both be made to, with various amounts of approval dialogs, open downloaded documents automatically. Safari used to do this by default but thankfully it's now an option... but really that capability should not be there at all.

None of these holes in the sandbox actually make things more convenient for users. They look like they might, but it's actually easier to download a document or a plugin and than (as a separate step) request that it be opened or installed from a file browser or from a download manager, because making the operation asynchronous and deliberate like that means you don't have to go crazy with approval dialogs, because you're not running the risk of an unexpected dialog coming up for a user with an itchy mouse button...

A theory...

[jbwolfe]

...I must propose that Slashdot editors are involved in a conspiracy. To wit: In the past few months or so, we have had at least three submissions that have incorrectly used the term "brick" to describe a problem with typically simple solutions- distinctly not problems without solution. Anyone interested enough to submit an article to Slashdot would know the meaning of the term. Therefore, the only explanation is that the editors are cultivating the submissions in a way calculated to stimulate numerous off topic posts highlighting the improper use of the term, in turn increasing the traffic in order to generate add revenue. What's the definition of troll?

In defense of "brick"

[timothy]

a) it's amusing to see people clamor for the "good old days" when "brick" meant a very specific form of computer disablement. Yes, those were the days, long ago, perhaps even before the television writers' strike began, why way back in ... aw, heck, you can't expect me to believe quite *that* far back, can you? I imagine a cadre of formerly peaceful hippies in a battle to the death on the proper etymology of "roach," and whether a joint which can still be successfully smoked while held between the fingers is or is not technically a roach.

b) Brick clearly means more than "a small glitch in a basically working device," but "renders useless until a complete system re-install" doesn't seem too crazy; I've seen this use many times, esp. wrt gadgets whose firmware can be replaced with firmware. It's certainly used sometimes to refer to the kind of situation where (as here) the device becomes a doorstop until a complete new system image is installed.

You can choose to fixate on the word (hey, it's a free world! :)), but there's some evidence [google.com] that not everyone agrees that a bricking is forever.

And if anyone would like to argue some sort of Ur-grammar definition into "brick" in the hyper-recent use to refer to borked electronics, complain about how today's kids aren't true enough to their l447sp3@k roots, may I introduce the brick (older meaning) [xinhuanet.com].

Re:Two points about the article's headline.

[mr_mischief]

There used to be a virus that slipped past the OS and triggered a BIOS flash on certain boards, and flashed the virus into the BIOS. The only ways to get it out were to buy a new MB, buy a new BIOS chip from the MB or BIOS manufacturer, flash the chip in a dedicated chip data loader, or replace it temporarily with a friend's BIOS chip, boot, swap out the chips on the live board, reflash, and hope you didn't fry the board or the chip. The board generally wasn't dual-BIOS, and worst of all IIRC was that the BIOS chip for many of the affected boards was soldered instead of socketed. The virus was called CIH or Chernobyl.

There was back in the days of DOS and ESDI, MFM, and early IDE drives, when it was the user's responsibility to run a drive head parking utility (properly configured for the right cylinder count for parking out past the edge of the drive) before physically moving the machine because auto-parking wasn't built into drives yet, a virus that did something really nasty. It'd take the cylinder count for your drive, cut that in half, set your park cylinder to that number, and tell the drive to park and shut down. The heads would move to the center of the platters, the spindle would slow down on its way to stopping, the air cushion between head and platter went away, and the heads plowed into the platters either then or when the drive would spin back up. I don't recall the name of this one.

Either of these could be considered bricking actual hardware, but you probably won't ever have to worry about Chernobyl and the other is obsolete.