A Polish security researcher calling himself porkythepig is apparently gunning hard for
HP this month, first exposing a slew of vulnerabilities that affected 83 different HP and Compaq models ten days ago, and today releasing an exploit that allows an attacker to brick any HP or Compaq laptop. The 'sploit takes advantage of a vulnerable ActiveX control in HP's Software Update, allowing a hacker to easily corrupt Windows kernel files, or even take control of the machine with a little more effort. Porkythepig says the bug affects HP and Compaq laptops running Windows 2000, XP, Server 2003 and Vista, and that simply disabling the Software Update mechanism may not prevent attackers from taking advantage of the vulnerability. Even still, those of you out there running HP / Compaq machines may want take a second to shut down Software Update until HP issues a patch.
Update: Wow, we didn't realize how seriously everyone took their slang. For what it's worth, the definition of "bricked" has caused some amusingly serious discussion amongst Engadget editors today, and most agree that it should mean "dead beyond all repair" -- except for Nilay, who keeps stubbornly saying that people "un-brick" devices all the time. We'll stick to the most common definition for now, so no, this exploit didn't "brick" anything.
[Via
Slashdot]
posted Dec 21st 2007 at 2:27PM
Reader Comments (Page 1 of 2)
Leroy Vargas @ Feb 12th 2008 12:17PM
Well, my HP PhotoSmart C6180 all-in-one printer supports 64-bit Windows from the very beginning - unlike my previous Lexmark X1150 for which I had to wait till after Vista was released. My HP DVD740 burner gave me a very good service - until its lens lost calibration and now refuses to accept DVD±RWs and most DVD±Rs. My HP PhotoSmart R607 camera has done me a lot of help since 2005 - only problem is it requires a lot of illumination in order to work fast without flash (and its flash sucks, gives my photos a very unnatural look). I once considered buying a HP keyboard to replace my beige IBM - until I saw the expensive Optimus Maximus concept. Still, I don't buy HP computers - their other products (printers, cameras, drives) are excellent, but not their own computers. Same thing with Dell - I don't buy their crappy computers, but still that doesn't stop me from owning a Dell 24" LCD. Same with Sony - I don't play Playstation (nor PS2 nor PS3 nor PSP, I am Nintendo fanboy), I don't have SACD (because there are no SACD-compatible DVD or Blu-ray drives for computers, but if there were then I'd start my SACD collection right away), I never got interest on MiniDisc (except perhaps to replace the floppy drive, but there are no computer MD drives, anyway my USB JumpDrives and SD cards have worked me better thus I call MD as dead as a floppy), their VAIO computers are utterly expensive (I prefer my own custom monster), their Blu-ray burners are not SATA (still ATAPI! Thankee God I have a LiteOn BD instead), I was born into VHS world and never saw Betamax in my life (I just bought an S-VHS recorder from Panasonic, yeah it's obsolete but now serves me as good recording backup now that my computer's CPU is currently dead, I'm writing this from a school computer which happens to be Dell), I never owned a Handycam (but my sister does), and their SRXD (or was it SXRD?) TVs are utterly expensive (I am DLP fanboy!), but still that never stopped me from keeping my sister's Discman for myself!
PGP-Protector @ Dec 21st 2007 2:33PM
Guess it's good that I formated & did a clean install from a OEM CD vs the HP Version that they use
ScareyJ @ Dec 21st 2007 3:09PM
@PGP, I'm with you on that. New machine, new, clean reinstall to get rid of the mfr filler junk!
I'm just surprised the companies don't use advertisments like, "For a limited time only, we're offering a bonus of 92GB of free software preinstalled!" Don't have iTunes, well you might ... need a Google, Yahoo, MSN browser toolbar, they're all included! Now with 101 cool screen savers! "This puppy has a 200GB harddrive, and only 12GB free ... that means you're getting 188GB of pure value for one low low, super low price!"
Matthew Hilario @ Dec 21st 2007 3:17PM
abadee abadee abadee that's all folks.
Froggy @ Dec 21st 2007 3:49PM
first thing I did was to remove the HP software update. now I'm just glad i did so. HP laptop $1500; Cleaning it once you get it - priceless.
abadtooth @ Dec 21st 2007 2:33PM
ROFL!!!!
TruthBringR @ Dec 21st 2007 3:13PM
I had such a lousy day today. First my HP laptop got BRICKED because of porkypig's security exploit. Then my car ran out of gas on the freeway and now my car is BRICKED. Then my celphone ran out of battery and now it's BRICKED too.
Way to go Nilay Patel - great job checking your facts and/or blindly ripping headlines from other gadget blogs that put out the story first!
*applause*
John B @ Dec 21st 2007 3:29PM
@TruthBringR:
Absolutely! Yet another abuse of a word just because it makes you sound all geeky.
Hey, Nilay! To use a familiar quote: "You keep using that word. I do not think it means what you think it means." If the laptop never worked again, THEN it's "bricked". You DO know what a brick is, right? If the operating system can be reloaded and the system can be restored (even through some effort) to its previous state, that does not qualify as being "bricked".
Inconceivable.
Visionep @ Dec 21st 2007 2:36PM
I don't think 'brick' is technically accurate here. To brick a piece of hardware is to make it useless with no simple method of repair. It seems like re-installing the OS will easily fix this problem.
If you are using an inaccurate headline that denotes greater damage than was actually caused by the situation wouldn't you consider that sensationalization of a news item?
Jonathan Bergeron @ Dec 21st 2007 2:39PM
Yeah, I thought Engadget was owned by Time Warner not News Corp.
LimboMan @ Dec 21st 2007 2:40PM
Visionep: Agreed... Reading the headline, I thought there was some unique vulnerability in the HP/Compaqs that allowed malicious code to affect the bios/firmware of the devices
Craig @ Dec 21st 2007 2:50PM
@Sensationalism Nazi: You should be accusing the Slashdot for changing the headline but they got it from the original blog article titled "Bricking bug threatens most HP, Compaq laptops
Second bundled bug in nine days can leave laptops unbootable"
Reader @ Dec 21st 2007 4:00PM
Blaming Slashdot because of Engadget's title? That's a little much, just because someone else makes an error doesn't mean Engadget can.
I also agree the title bricking is a little much, but it's not too hard to get the meaning.
ark_v2 @ Dec 21st 2007 4:05PM
Sounds like the apple controversy to me.
Jonathan Bergeron @ Dec 21st 2007 2:38PM
That's cause HP/Compaq are garbage computers.
Spyvie @ Dec 21st 2007 3:18PM
The HP DV series notebooks generally don't suck
TruthBringer @ Dec 21st 2007 3:22PM
You are so right - HP/Compaq are such garbage computers that they have the #1 market share for laptops and desktops. Imagine the tough time HP has year after year explaining to their shareholders how their company's computers are #1. Wouldn't want to be in their shoes!
Jonathan Bergeron @ Dec 21st 2007 3:47PM
They are garbage computers. They have the #1 market share by out pricing Dell and having better marketing than any other PC manufacturer.
Froggy @ Dec 21st 2007 3:53PM
that's just silly. they have garbage ON their computers. I agree with that. their computers are not exactly garbage.
tom @ Dec 21st 2007 3:54PM
HP laptop do suck, keyboard flex, lcd screen flicker and now this! People buy them because they only look sexy.
TP all the way =D
spaceb @ Dec 21st 2007 2:41PM
I'm writting from a HP laptop and I'm glad I didn't install HP's software.
barry.padgett @ Dec 21st 2007 2:47PM
Great one more thing to worry about....
Justin @ Dec 21st 2007 2:51PM
HP softwares have always been quite sub-par... esp. its drivers...
Carbonize @ Dec 22nd 2007 3:02AM
You should try the crap Acer slaps on it's laptops then. ePower reads the damn registry every time you move the mouse a pixel.
jason @ Dec 21st 2007 2:55PM
Wait, doesn't everybody do a fresh OS install on a branded laptop to get rid of the crapware anyways?
PGP-Protector @ Dec 21st 2007 2:59PM
Yep
Removal of crapware
Removal of other "bonuses"
Recovery of storage space and there "Recovery sector"
Speed improvements.
Luigi193 @ Dec 21st 2007 2:58PM
That must suck...
nosleepidiot @ Dec 21st 2007 3:09PM
That's why the first order of business after you buy a new machine should be to wipe clean and start over with a non OEM install of the OS.
It's got nothing to do with the hardware. I don't even keep an OEM install of OSX on an Apple machine.
Bombaclaat @ Dec 21st 2007 3:11PM
Rule #1, always wipe out and reinstall OS on new computers.
frank @ Dec 21st 2007 3:12PM
Dear Jonathan,
You might consider thinking for yourself; it's quite liberating. My nc4400 is a beautiful machine, that rivals ThinkPads, VAIO's, Tecra's, and Lifebooks that I've used and worked on, thanks to my job. Additionally, if you buy any of HP's business line, they include no crapware whatsoever. They know that in a business environment, it's going to be re-imaged as soon as it gets in the door (or even before, if you go through a reseller like CDW that will put your custom image on it) so they don't waste their time engineering a load of apps that will never see the light of day.
Jonathan Bergeron @ Dec 21st 2007 3:20PM
I am thinking for myself. I've worked on computers for the last 9 years. What I've found is every computer that you do make yourself is garbage. HP/Compag ranks at the top of that list, with Thinkpad in a close second.
TruthBringer @ Dec 21st 2007 3:18PM
What a lousy day I had - first my HP laptop got BRICKED because of a software exploit. Then my car ran out of gas on the freeway and now I have a BRICKED car. Then my celphone ran out of battery and now it too is BRICKED.
Way to go Nilay Patel - you're an asset to engadget. Great job having no f*cking idea what you're talking about and/or merely ripping headlines from other gadget blogs that get these stories first.
Jonathan Bergeron @ Dec 21st 2007 3:22PM
hahahahahahahahahahahahahaha
Dan @ Dec 21st 2007 3:24PM
I'm just gonna throw this out there, but isn't saying it's "bricked" a little overly dramatic? It corrupts kernel files. Ok, that's really serious, but to me it's not bricked as the OS can be reinstalled and off you go. To me, for it to be bricked the bios and all that good stuff would have to be toast forcing the user to send it into the manufacturer for repair. At least to me and people I've known that has been what it meant to be bricked, i.e. useless except as a paperweight.
Prokkie @ Dec 21st 2007 3:25PM
glad I deleted all that stuff off of my new HP lappie before I gave it back for christmas wrapping.... lol
Jon @ Dec 21st 2007 4:17PM
The term "brick" means "as useful as a brick". So please, Nilay, "brick" your laptop then send it to me. I will gladly take your "brick."
Bricking refers to damaging the firmware on something so it is not easily recoverable. On your poor windows laptop, every time your feeble OS is infected with spyware, are you "bricked?" No. don't be a tard.
michael @ Dec 21st 2007 7:33PM
Good thing my HP doesn't run any of those operating systems.
Does Ubuntu Linux have any vulnerabilities to hackers?
lol.
Its not like this is HP/Compaq's fault. Who made the OS that has the infrastructure to allow this type of exploit, and why do you pay for that OS?
Mark @ Dec 23rd 2007 11:22AM
Actually, it is HP/Compaq's fault, because they made this particular Software Updater program. It's not Windows Update we're talking about.
Carbonize @ Dec 22nd 2007 3:04AM
Every OS has it's exploits, Linux is no different. But this is not an exploit in the OS but an exploit in HP's software.
Michael @ Dec 22nd 2007 1:46PM
Funny, HP has software on my computer (CUPS) and I have never heard of an exploit of that.
All I meant above was that it seemed from reading people's comments that they were blaming HP, when truthfully, the POS OS allows for that type of thing to happen. If I want to update my software on my computer that HP made, I give permission. It isnt (that I am aware of) built into that OS.
Mandrake @ Dec 21st 2007 4:45PM
Just do yourselves a big favor: nuke the hard drive of all Windows based crap, and slap Linux on it... giddy up!
rooshma @ Dec 22nd 2007 4:28PM
If you use any of HPs software you deserve to have your computer bricked
zephead @ Dec 21st 2007 6:06PM
Ironic if that patch is released through HP's Software Update. :O
Alex @ Dec 21st 2007 8:13PM
1) any computer you don't put together yourself from barebones sucks. Did you all buy your hp's at BB? Idiots
2) I brick and unbrick my psp every now and this is common to the psp scene. So yes, a brick can be unbricked.
3)"...installed!!...Retail is for suckers." - kramer
ZeroCorpse @ Dec 22nd 2007 12:31AM
Translation:
"I is 1337 and am teh awesome Bcuz I build my own PCs. U suck Bcuz you don't.
I R also teh awesome Bcuz I build my own TV, DVD player, Toaster, Automobile, and toilet from spare parts. You are teh suck Bcuz U buy stuff put-together from stores like a sucker.
I is teh leet hackerz and all your base are belong to us."
Dude... Get over yourself. I used to build PCs, but at least I was smart enough to know that it's a hobbyist thing, and not something for everybody. Making fun of other people because they don't have the same geek hobbies or technical knowledge as you is pretty stupid. I'm willing to bet you need someone to do/build/make something for you now and again because you lack the skills. Ever go to a restaurant and buy dinner? WHY?!?! Are you not kewl enough to make your own? Did you build your car? Your house? Did you fit all the plumbing in your home? Did you press the mainboard for your leet computer yourself, and solder in all the caps and chips yourself, or did you buy your mainboard already completed?
Stop being such a douchenozzle. Unless you build everything you own from base elements and materials, you really can't claim to be any better than the people who buy computers that are pre-built.
But hey, if this is the only way you can feel vindicated for being picked on in school, then knock yourself out.
Alex @ Dec 22nd 2007 3:56AM
actually, I was in the cool group at school. Basketball team, hot girlfriend, lots of friends, etc. And no I didnt physically put together my car. Or my toaster. Or my laptop really, for that matter. I just ordered it online from a site like rjtech (zepto.com) and configured it myself, then ordered high quality ram and a high quality hdd, and put those in myself. And installed my own os. Not only did I get exactly the configuration I wanted, I saved a bunch of money compared to my hp buying counterparts. I am admitedly at most a half geek. I just do a little thing called research, and don't just buy whatever because I believe the ads or the guy at BB. And it seems people spending time on a gadget blog would be saavy enough to do the same.
Dave-o @ Dec 22nd 2007 8:36PM
The Alex doth protest too much, methinks.
BobTurbo @ Dec 21st 2007 9:40PM
I remember dealing with a HP printer once and noticing that there was so much junk software and pop-ups and crap just for printer software. I think it was in the multiple GBs. From that day on I decided to never buy anything related to HP again.
Davsot @ Dec 22nd 2007 1:29AM
My Compaq Computer (not laptop) just broke down. Is this unrelated and just a really bad coincidence? Or is it possible? It's a 2003 model for anyone who is curious and was running Windows XP.
Kash @ Dec 22nd 2007 6:39AM
How do I go about disabling HP UPDATE???