HP’s Software Update Tool has been found to contain flaws which can lead to remote code execution or the leakage of sensitive information stored on a PC. The offending component of the HP Software Update application is the HPeDiag ActiveX control, which checks for and downloads security, firmware, software and driver updates. The flaw affects any HP PCs, or any PC connected to HP scanners, printers and cameras that contain a version of the update.
Tan Chew Keong from Vuln.sg, who advised HP of the flaw in March, said the vulnerable ActiveX controls are installed as part of HP Software Update version 126.96.36.1991 when the user installs the Windows software suite for HP colour LaserJet 2820/2840.
However, according to HP's security advisory, the flaw affects a larger set of products, including scanners, printers, cameras and PCs that use HP Software Update. Updates v4.000.009.002 or earlier running on Windows may be exposed to the vulnerability but should be resolved for PCs with update v4.000.010.008 or higher.
HP, Software, Update, Tools, Vulnerability, Exploit, Flaw