Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Issues Fix For Keylogger Found On Several Laptop Models (zdnet.com)

Posted by msmash on from the fixing-things dept.

HP says it has a fix for a flaw that caused a number of its PC models to keep a log of each keystroke a customer was entering. The issue, caused by problematic code in an audio driver, affected PC models from 2015 and 2016. From a report: HP has since rolled out patches to remove the keylogger, which will also delete the log file containing the keystrokes. A spokesperson for HP said in a brief statement: "HP is committed to the security and privacy of its customers and we are aware of the keylogger issue on select HP PCs. HP has no access to customer data as a result of this issue." HP vice-president Mike Nash said on a call after-hours on Thursday that a fix is available on Windows Update and HP.com for newer 2016 and later affected models, with 2015 models receiving patches Friday. He added that the keylogger-type feature was mistakenly added to the driver's production code and was never meant to be rolled out to end-user devices. Nash didn't how many models or customers were affected, but did confirm that some consumer laptops were affected. He also confirmed that a handful of consumer models that come with Conexant drivers are affected.

5 of 72 comments (clear)

  1. Fine. by thegreatbob · · Score: 3

    A fix is all well and good, but an explanation would be a nice touch. I guess people just don't get pissed off about getting the shaft anymore.

    --
    There is no XUL, only WebExtensions...
    1. Re:Fine. by Megane · · Score: 5, Informative

      From what I saw yesterday, the "explanation" is:

      1: mediocre programmer guy wants to check the keystrokes that affect volume control, adds a keylogger to the code for debugging
      2: poor version control, or a total lack thereof, combined with lack of code review, allows "temporary" debugging keylogger code to become part of and remain enabled in main-line production code
      3: someone eventually discovers it and SHTF

      In other words, Hanlon's Razor.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    2. Re:Fine. by anegg · · Score: 3, Insightful

      Words fail me. Whether this was incompetence or a poorly-kept secret, the implications are troublesome. A clear demonstration that even mainstream commercial software can't be trusted in some pretty fundamental ways. Yet we conduct more and more of our personal and professional lives on and through software-controlled systems. The explanation is that it was done accidentally, which implies that it is relatively easy to do and will not be detected by whatever quality assurance processes are in place.

    3. Re:Fine. by 110010001000 · · Score: 4, Insightful

      I'm pretty sure that RMS has been saying this for years. You cannot trust any closed source. You have no idea what is doing. You are trusting unknown people with your data.

  2. Re:Wipe it by Anonymous Coward · · Score: 3, Informative

    The driver containing the keylogger was distributed by Windows Update.. Unless you deactivated driver loading from Windows update, your wiped laptop is also affected.