I got pulled into an issue at work. Seems that one of my clients is moving to HP hardware, and they ran into a security issue [hp.com] with the software that is driven by the special keys on the laptop.
Here is the gist of the security issue [securityfocus.com]. The HP Info Center basically puts a shell around an Internet Explorer instance, which calls javascript that creates some ActiveX objects in the page. The ActiveX objects launch HP control panels stored on the machine. The DLL (HPInfoDLL.DLL) that contains the ActiveX object is the source of the security problem.
So what is HP's solution? A security update. Pretty straightforward, right?
Well, not so much. The updater that they supply doesn't check that the original file - or even the HP Info Center software - is installed on the system before installing the update. And if the software is installed, it doesn't do any version checking on the DLL. It just writes right over whatever version of the DLL is on the computer.
You might think that this last is a problem, right? What if another security issue is found? Well, here is why it isn't a problem. The updated DLL - doesn't do anything. Well, OK, maybe it does something. But it sure doesn't create the ActiveX objects that the original did. Consequently, when the HP Info Center is run, instead of showing icons to launch DLLs, users see an Internet Explorer Script error. See it here.
When the desktop manager for my client saw this, and I explained that it was the documented behavior of the update, he flipped out. And I can understand why. With the update installed, when users press a key on the laptop, what they will see is an error. They'll think the software is broken. And what do users do when they have a problem on their computers? Yes! they call the Helpdesk! He was envisioning having to explain to dozens or hundreds of users that the error they were seeing wasn't really an error.
Here is how I fixed the problem. I poked around, and found the Javascript that was driving the vulnerability. It is contained in a file called HPInfoCenter.js. I then found the file that was calling this JavaScript file. It is called HPInfoContent.html. I looked in the latter file, and found that it was calling the JavaScript in the <body> onload event. So, I just removed the onload reference to the JavaScript file. Then I edited the HTML of the HPInfoContent.html file to basically tell users that the Info Center doesn't do anything and that they should look for the HP controls in the Control Panel. Voila! No more script error!
The real question, though, is why HP felt compelled to create such an application. Why not just create a folder with shortcuts to the control panels? Wouldn't this accomplish the same thing?
Not as cool, I guess. Plus, if they had done this, I wouldn't have had the chance to be clever over this!
Sorry that this post is kind of complaining, but I do enjoy finding clever solutions to such problems.
Wednesday, December 19, 2007
Subscribe to:
Post Comments (Atom)
1 comments:
Hi BlueBearr,
just launched HP info center and got that error. had no idea what had cause it.
thanks for the post. don't care it doesn't work just happy it wasn't anything i had done wrong. you put my mind at ease ;o)
Cheers, keep up the good work
Paul
Post a Comment