A serious security flaw in an ActiveX Control used by the HP Virtual Rooms online collaboration suite could put business users at risk of code execution attacks.
According to an advisory posted to the Full Disclosure mailing list, the vulnerability is caused due to a boundary error in the HPVirtualRooms14.dll ActiveX control when handling strings assigned to various.
Secunia rates the issue as “highly critical” and warns:
“This can be exploited to cause a buffer overflow by assigning an overly-long string to an affected property. Successful exploitation allows execution of arbitrary code.“
The vulnerability was confirmed in HPVirtualRooms14.dll version 18.104.22.168. Other versions may also be affected, Secunia said.
[ ALSO SEE: HP Laptops Spring (Another) Security Leak ]
HP has struggled mightily with code execution holes in multiple software products within the last year.
In June 2007, the company acknowledged and fixed a buffer overflow condition in the Help and Support Center utility and warned that unpatched machines were sitting ducks for drive-by malware downloads. In December, a third security hole — in the HP Info Center — was also patched to provide cover for code execution scenarios affecting more than 80 HP laptop models.
Someone at HP needs to get fuzzing and find these flaws before the bad guys do some serious damage.