|
Description
|
This indicates an attempt to exploit an arbitrary file overwrite vulnerability in HP Software Update, shipped with many HP systems.
The vulnerability is due to a design weakness in an ActiveX component that is used to download patches and updates for HP software. A remote attacker can exploit the vulnerability by persuading a target user to open a malicious web page that can then overwrite sensitive files on the local file system. By doing this the attacker can corrupt the operating system and/or execute arbitrary code with the privileges of the logged in user.
|
|
|
|
Impact
|
|
System Compromise: privilege escalation
|
|
|
|
Affected Products
|
|
HP Software Update 3.0.8.4
|
|
Aliases
|
HP.Software.Update.Tool.ActiveX.Control.File.Overwrite
|
|
References
|
http://www.securityfocus.com/bid/26950
http://www.frsirt.com/english/advisories/2007/4271
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-6506
|
|
Recommended Actions
|
Refer to HPSBGN02301 SSRT071508 rev.2 for patch, upgrade, or suggested workaround information:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01311918&jumpid=reg_R1002_USEN.
|
