Slashdot Mirror
Exploit Found to Brick Most HP and Compaq Laptops
Ian Lamont writes "A security researcher calling himself porkythepig has published attack code that can supposedly brick most HP and Compaq laptops. The exploit uses an ActiveX control in HP's Software Update. It would 'let an attacker corrupt Windows' kernel files, making the laptop unbootable, or with a little more effort, allow hacks that would result in a PC hijack or malware infection.' The same researcher last week outlined a batch of additional vulnerabilities in HP and Compaq laptops, for which HP later issued patches."
Two points about the article's headline:
1) The linked article does not describe a successful bricking. You can pop in your recovery CD & away you go.
2) This is a software problem, not a hardware problem. I doubt this exploit is going to work on my (old & crappy) HP sempron laptop, seeing as its dual booting Debian & OS X.
A better headline would be "Exploit found in HP update software" - but I guess that's just not that ad-revenue generating.
There are shills on slashdot. Apparently, I'm one of them.
Does this apply to any of the HP desktop line?
there's a patch available, but it involves penguins ;-)
This is NOT bricking. The OS is simply disabled and can be reinstalled/system repaired whatever.
Bricking means rendering the device completely inert and beyond normal repair methods.
I am government man, come from the government. The government has sent me. -- G.I.R.
We should revisit what "Brick" *actually* means: "When used in reference to electronics, "brick" describes a device that cannot function in any capacity (such as a machine with damaged firmware)." (Wikipedia)
Lately several submissions have used this term incorrectly. Come on, we're supposed to be nerds, not Cringely.
Corrupting a Windows install does NOT BRICK A GOD DAMNED LAPTOP. You can reinstall Windows and it will work. Therefore it is not a brick, it is not bricked, it has no aspect of brickishness, not even a hint of brickening.
What the HELL is wrong with you morons??? Do you even read Slashdot discussions? This has been pointed out over and over and over again.
Bricking involves killing something dead in such a way that it becomes, in effect, an expensive paperweight or 'brick' if you will. As you are clearly retarded, let me explain that a 'brick' is typically a rectangular piece of clay or similar material hardened in a furnace and used to construct buildings and other structures, and usually has no functionality beyond this. Unlike the device in this story, reinstalling Windows on an actual brick will not lead to increased capabilities.
Read Pynchon.
When did "brick" stop meaning that the device was rendered utterly useless forever, and change to mean that the device simply stopped working and needed to be repaired?
Bricking refers to rendering a device inoperable in a more significant way than corrupting data on a hard drive. These machines can still be booted from external media and restored. A truly bricked device would have its firmware corrupted or suffer some sort of damage not easily repaired without specialist tools.
I am becoming gerund, destroyer of verbs.
Bricking means to render unbootable with no means of recovery other than sending back to the manufactures. This is usually done through the corruption of the firmware.
Corrupt the BIOS = bricked. Corrupting Windows = not bricked.
Did anybody mention that they used "bricked" incorrectly?
So who wants to be the first to try? ;-)
If you post as Anonymous Coward, don't expect a reply.
to paraphrase Mr Dent:
Ah, this is obviously some strange use of the word brick that I wasn't previously aware of.
WARNING: Smartphones have side effects--most of them undocumented.
It will l-l-l-let an attacker corrupt W-w-w-windows! T-t-t-that's all folks!
It sounds like the user needs to be using Internet Explorer in order to be vulnerable. I doubt anything happens on Firefox or other browser since there is purposely no ActiveX support there.
Also I note that the exploit description itself never uses the inaccurate word "brick".
When idiots keep misusing the term brick, and then so-called knowledgeable editors of Slashdot reinforce it's usage, it is going against everything that Slashdot is supposed to be about, which is the spreading useful information. "Brick"ing came about from PSP hacking where the entire PSP could no longer be brought up at all, if particular hacks were made to the device. No amount of reinstalling would work, because it just wouldn't turn on, rendering it as useless as a brick.
Making a computer unbootable, is not "brick"ing it. Please. Stop the flow of misinformation and misusing of terms, and do not reinforce its usage.
This is NOT bricking. Whoever wrote this article description up is clueless. Actually if you look at the technical savvy of the average Slashdot user from 1999 until today you'll see that the technical knowledge has been dropping ever since about 2000. Slashdot users used to be way smarter and more experienced. Nowadays it seems like the average Slashdot user is just some computer hobbiest who runs Ubuntu when in past years Slashdot was full of developers, sysadmins and the like.
The story is yet another illustration of how dangerous ActiveX is. This is not the first example and it probably won't be the last. So many other things depend on or otherwise utilize activex... some are highly security sensitive like in the case of ADP. I cannot understand why, after all these years of examples why Microsoft hasn't recalled the use of the technology as inherently dangerous. But really, it's worse than that. It breaks the premise of the web. The use of the web is not supposed to be limited to a certain hardware specification under a certain software configuration... this is irrelevant, of course, to the dangers pushed upon the users who are often required to use it.
We have some of the affected models here at work, but I make my own clone images sans the HP crapware.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Many/most devices have a "low level monitor" that supports reflashing the firmware. If that low level monitor gets hosed then you have a big problem (break out the JTAG cables etc).
Of course technical terms get bandied about by pseudo-nerds which does confuse things.
Engineering is the art of compromise.
If you removed the crapware that HP sent out with it.. You'll be fine.. Just takes like 3 or 4 hours to do it all though... Extremely annoying...
"Brick" will be used incorrectly, and it's meaning has changed. Don't waste time fighting it, we have lost. Just like 'Hacker' or a billion other phrases the media has misused.
Really, you're time is more valuable then that.
The Kruger Dunning explains most post on
Supposing that I'm using windows, I don't really think that I would be running HP software crap.. [dot] [newline]
What's the story?
"Bricking" a device means destroying hardware or destroying firmware in a way that cannot be recovered.
Merely destroying a Windows installation is not "bricking" a machine; Windows needs to be reinstalled from time to time anyway.
..But I didn't know "Plugging it in and using it" was considered an exploit.
-- David
1) Bricked is the wrong word.
2) This hilights the dangers of any holes in a sandbox. The only secure way to design a sandbox is for there to be no mechanism from inside the sandbox to request access outside it... whether by installing a plugin, executing an external application, or otherwise elevating privileges. Even if the request is normally denied, the existince of that mechanism itself creates a new class of attacks.
The corollary to point two is that ActiveX is not just a security hole, it's a different *kind* of security hole.
On the other hand, all three of the most common browsers have a mechanism to request access outside the sandbox. None of them are as bad as ActiveX, but they're all unnecessary.
* Any browser on Windows is subject to URI quoting attacks on helper applications, due to the lack of a guaranteed quote-safe command line and the use of a single set of helper bindings for trusted and untrusted sources.
* LaunchServices on OS X duplicates the second problem as well.
* Firefox and Safari both allow web pages to request plugins be installed: XPI in Firefox and Dashboard plugins in Safari on OSX. They both wrap these interfaces in multiple levels of "approval dialogs", but my experience is that there are too many people who can be relied upon to eventually hit "go ahead and infect me" by reflex.
* Safari and Internet Explorer can both be made to, with various amounts of approval dialogs, open downloaded documents automatically. Safari used to do this by default but thankfully it's now an option... but really that capability should not be there at all.
None of these holes in the sandbox actually make things more convenient for users. They look like they might, but it's actually easier to download a document or a plugin and than (as a separate step) request that it be opened or installed from a file browser or from a download manager, because making the operation asynchronous and deliberate like that means you don't have to go crazy with approval dialogs, because you're not running the risk of an unexpected dialog coming up for a user with an itchy mouse button...
not much else to it.
HP/Compaq ships new laptops bricked. They call it 'Preinstalled with Windows Vista'.
If you want news from today, you have to come back tomorrow.
People who submit articles to Slashdot need to learn what the fuck "Brick" means.
Yes billy, if you can reload windows and use the machine again, it's not a brick.
From Ye old Urban Dictionary:
Brick
As verb: to brick something.
This is the action of rendering any small-medium size electronic device useless.
This can happen whilst changing the firmware, soldering or any other process
involving either hardware of software.
ex: I bricked my mobile phone when I tried to install Linux on it.
...I must propose that Slashdot editors are involved in a conspiracy. To wit: In the past few months or so, we have had at least three submissions that have incorrectly used the term "brick" to describe a problem with typically simple solutions- distinctly not problems without solution. Anyone interested enough to submit an article to Slashdot would know the meaning of the term. Therefore, the only explanation is that the editors are cultivating the submissions in a way calculated to stimulate numerous off topic posts highlighting the improper use of the term, in turn increasing the traffic in order to generate add revenue. What's the definition of troll?
Have you ever noticed that anybody driving slower than you is an idiot, and anyone going faster than you is a maniac?
Now news sources are just trolling /.
Tell me why a legitimate "security researcher" calls himself "porky the pig." Tell me why I should trust anything he says.
Well, at least that explains how the Irene Demova Virus could affect only a single brand of laptop. Now we just have to hope that teh terrists use unpatched HP laptops as bomb timers.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Why...
YES, it is 'bricked.' Totally and utterly useless, yes. You'll need to buy a brand new one. Seeing as I'm a nice guy, I'll buy this completely bricked, utterly useless laptop from you. Just for the case and spare parts, you see. Does $100 sound reasonable for a bricked, totally useless laptop that you can never use again? Hmmm?
even for 64-bit HP, I'm cranking along... oh ..what? no I didn't RTFM why?
Power to the Penguin!
...buy a brick and put in a recovery disc to get Windows running on it? DAMNIT, there goes all the Christmas presents I was going to buy everyone I know.
Slashdot editors...please, for the love of all that is holy, the term "bricking" means "BRICK-LIKE"...any computer that can still compute (or anything that is still operational for that matter) is NOT BRICK-LIKE/a brick/bricked!
Anyone know where the complaint department is?
This way of using powerful words to attempt to lure in people to read the article, really makes me loose faith in humanity.
Let the devolution of Slashdot into Digg commence.
> Firehose: Exploit supposedly bricks most HP/Compaq laptops by Ian Lamont (1116549)
Usually, the Firehose version is exactly what you submitted and it only gets edited after acceptance. But maybe that doesn't apply to the title, I haven't paid close enough attention to be certain.
Disclaimer: Did not read the article.
Does this affect Desktop machines from HP-Compaq as well? We just received a metric buttload of these machines and I'm curious if they can all be suceptible.
If you were offended by anything I said... No, I'm not sorry. Please lighten up.
Cringely is not as tech-illiterate as that. Certainly not as clueless as any of Slashdot's "Editors", current or former.
So does any one want this bricked psp i have here? ... "unbrickers" exist you know.
Tech reports that misuse terms should be canned. This doesn't make the laptop unusable. Now the common powerjack problems (which HP refuses to repair) with the HP and Compaq laptops, that can brick your laptop if it shorts your motherboard out.
in Soviet Russia bricks are laptoped!
FFS.. learn how to use the term!
Could I un-brick it if I ran Linux?
Bricking is a perfectly good technical term. I understand language evolves but it has no good reason to evolve in this direction. Real bricking is still a concern for some things and it's important to distinguish the potential damage something can do.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
...Acme brand laptops. For some reason, they seem impervious to bricking.
They though they had a headline when they realized it was easy to brick a HP but then they realized how much more efficient an HP is when its "bricked".
Now, there's a part of me that wants to give a medal to anybody that does that ... but, for hacking other people's computers, I think I'd be more likely to give in to the part of me that wants to beat him (her?) to a bloody pulp.
Free Software: Like love, it grows best when given away.
a) it's amusing to see people clamor for the "good old days" when "brick" meant a very specific form of computer disablement. Yes, those were the days, long ago, perhaps even before the television writers' strike began, why way back in ... aw, heck, you can't expect me to believe quite *that* far back, can you? I imagine a cadre of formerly peaceful hippies in a battle to the death on the proper etymology of "roach," and whether a joint which can still be successfully smoked while held between the fingers is or is not technically a roach.
:)), but there's some evidence that not everyone agrees that a bricking is forever.
b) Brick clearly means more than "a small glitch in a basically working device," but "renders useless until a complete system re-install" doesn't seem too crazy; I've seen this use many times, esp. wrt gadgets whose firmware can be replaced with firmware. It's certainly used sometimes to refer to the kind of situation where (as here) the device becomes a doorstop until a complete new system image is installed.
You can choose to fixate on the word (hey, it's a free world!
And if anyone would like to argue some sort of Ur-grammar definition into "brick" in the hyper-recent use to refer to borked electronics, complain about how today's kids aren't true enough to their l447sp3@k roots, may I introduce the brick (older meaning).
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
"Exploit Found to Brick Most HP and Compaq Laptops"
...which I installed Ubuntu on. Oh well.
Well, I have a Compaq Presario C500T...
"The exploit uses an ActiveX control in HP's Software Update. It would 'let an attacker corrupt Windows' kernel files..."
Give a man fire, and you warm him for the night. Set a man on fire, and you warm him for the rest of his life.
Hmm, according to the article the culprit is "HP Software Updates", a program I unistalled long ago and I think many else have uninstalled too (or not installed after a clean install). So say "most" feels a little wrong to me...
But when I read the referenced article, in the original context, it seemed to me that the writer was using "brick" as a way to distinguish malicious code which siezes control of your Windows box from malicious code which kills it.
I have found almost all hardware or system updaters have back doors. For windows you go right into the services window and disable these and you are fine. (but check for updates manually or turn back on regularly)
I uninstalled all the HP crapware as soon as I got it home.
The only thing the updater program seemed to update was itself. It certainly didn't download any new graphics/network drivers or anything useful like that.
No sig today...
I'm not expecting a fix in the next quarter... since i got my HP this summer there have been no new updates, even though at least my Graphics card has gotten several updates (if i wasnt running a HP I could have used them)
Particles, stuff that matters.
Did anybody notice that they mention term bricked incorrectly?
i used up all mine this morning.
upon the advice of my lawyer, i have no sig at this time
this was like 5 years ago:
installed linux, don't know which distrib...
activate power saving
wait a while, the laptop goes into hibernate
and it stays there. forever.
even removing batteries, harddisk etc... for several days did not help.
needed to send it to compaq for repair.
Atari rules... ermm... ruled.
Sorry folks, you're making the mistake of thumping the dictionary instead of looking at actual, in the wild use, of the word "brick". It works perfectly, in this context, as a term to describe breaking some aspect of a device. It appears that some people like using the term that way, and are perfectly happy with it. It works for them. You don't have to like it, and don't have to participate in the usage, but this is demonstrably what is happening. Measurable field data exists, and native speakers of English, in context, are now using the word "brick" to mean precisely what you are all claiming it cannot mean. Go back to working on computers, and leave linguistic analysis to those who know something about it. Disclaimer: I drive a brick, and know something about language.
.. to "professional doorstop". No more insulting that brick.
... just like a brick (should do) ;)
How difficult can it be to see the difference between a (full) operating laptop and a professional doorstop?
The doorstop won't budge
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Re:I effectively bricked my compaq with linux!
davecb5620@gmail.com
Bricked should be reserved for the hardware related destruction of a machine.
I prefer the term toileted when the exploit only causes Windows XP re-flushing.
For the destruction of a data centre, I recommend the term "constipated". Ie the entire data centre was constipated by the active-x exploit.
When an entire country is disrupted by an exploit I feel the term "mega-plopped" is fitting.
I also feel the general population would relate better to these terms and these terms would help motivate them to avoid such incidents via mental imagery association. The idea of a brick has little symbolic value, especially as many computers are shaped like bricks anyway.
"Hmm, according to the article the culprit is "HP Software Updates", a program I unistalled long ago"
.. Simple disabling of the vulnerable control .. [could still] result in the machine .. [being] compromised,"
How does you uninstalling the program make all the other laptops safe. Is this an example of quantum entanglement; action at a distance. You uninstall 'Software Updates' and simultaneously it gets uninstalled on all other HP laptops.
"HP issued an update that simply disabled the vulnerable software
How did you manage to remove it since HP only managed to disable it and according to the article it still leaves the machines vulnerable to the exploit.
Re:"Most HP and Compaq Laptops"
davecb5620@gmail.com
This past month HP issue a critical BIOS update for HP Pavilions 6000, 9000 and some Compaq series.. I don't know if this is related to this 'bug' or not.. They also issued updates to their 'HP' update wares... I have such a laptop.. It is my only Windors box.. All other are Slackware... FYI... IF you have such a machine using either HP update or visiting HP support you can get the BIOS updates (winflash) and other software updates for these machines...
"A security researcher calling himself porkythepig [...]"
How come I never hear of a cancer researcher calling herself "Bubba the Shithammer"? Or a nuclear scientist who calls himself "Fluffy Huggy Bunny"?
And people wonder why computer security is consistently ignored.
Come on, just because he doesn't love the iPhone doesn't mean he isn't probably right...
it becomes the 'truth'
there is always the other viewpoint ...
In this case embedded hardware.
Almost everything I work on has its JTAG chain
connected. Its 5 pins, or pads, just like 99%+ of
the keyboards out there.
No, if you can get it running from JTAG, it can still live
to Talk Like A Pirate.
RAmen
daryl_and_daryl
Come on people. I know it's all sensational and stuff to talk about bricking, but this ain't bricking. Bricking is when the device is now as "useful as a brick" or could literally be used only as a paper weight or a door stop. When it cannot be recovered or fixed, that's a brick. This is just a fouled up machine. Which viruses have been giving us since the early 90s when hard drives became standard in PCs.
It's like there's a bunch of kiddies out there who heard all the sensation about iPhones getting bricked (now that seemed like a genuine brick for quite a while) and now think that the cool term for screwed up is now "brick". Use some precision, for crying out loud.
"Doubt your doubts and believe your beliefs." -- Switchfoot, Ode to Chin
all you would need to do is a simple repair install. it's an option in the xp CD(dunno about vista as i have never used it and don't plan to any time soon) this is not bricked if like lazarus it can be resurrected and make to work again using a simple sogftware route. bricking means no lazarus... not even a hint of reincarnation under a reinstall/repair install. Mind you in Scotland, where i live, a non IT meaning if "brick" is crap. as in "he saw the car coming and bricked himself". bricking in this meaning also renders a person useless but only until they wash themelves and change their garments and prpare to never live it down!
Popular buzz word of late-2007 (and likely into 2008): brick.
Everything is "bricking" your devices these days.
Truth, Just Us, And Hatred For All Mankind!
Why don't we demonstrate what the word brick means in the context of electronic devices by bashing their head in with a brick. When they come to realize that they will never awaken from this state, a Zen like realization will wash over them as to the true meaning of bricked.
“Common sense is not so common.” — Voltaire
Sure enough, the very top comment on a bricking article explained that what happend was not bricking.
hawk, trying not to hurt his arm as he pats his own back
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
All most exploits would have to do to brick a PC is to set the ATA security password on the hard drive to something random that's instantly discarded. Done right, only the master password for the drive would unlock the drive after having done a security format first, wiping all data. And most users don't have the master password so they'd have to attempt to get it, based on their drive's serial number, from their PC manufacturer or hard drive vendor. It bricks the hard drive in most cases because getting the master password is so awkward.
"OS" partition
Eric Baird