|
|
>> HP Software Update HPeDiag ActiveX Control Multiple Vulnerabilities
|
Title : HP Software Update HPeDiag ActiveX Control Multiple Vulnerabilities
VUPEN ID : VUPEN/ADV-2008-1356
CVE ID : CVE-2008-0712
Rated as : Critical 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2008-04-25
|
Multiple vulnerabilities have been identified in HP Software Update, which could be exploited by remote attackers to gain knowledge of sensitive information or take complete control of an affected system.
The first issue is caused by a buffer overflow error in the HPeDiag ActiveX control when handling malformed data passed to the "GetXmlFromIni()" method, which could be exploited by remote attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page.
The second vulnerability is caused by a design error in various controls that do not restrict access to certain methods, which could be exploited by attackers to e.g. gain unauthorized read access to arbitrary files and registery keys via a specially crafted web page.
Affected Products
HP Software Update version 4.000.009.002 and prior
Solution
Upgrade to HP Software Update version 4.000.010.008.
References
http://www.vupen.com/english/advisories/2008/1356
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01439758
http://vuln.sg/hpupdate302991-en.html
Credits
Vulnerabilities reported by Chew Keong TAN.
ChangeLog
2008-04-25 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
