Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday May 12 2017, @11:59PM   Printer-friendly
from the check-your-backups dept.

ITworld has a story about certain Hewlett-Packard laptop computers:

The keylogger is found within the PCs' audio driver software and has existed since at least Dec. 2015, the security firm Modzero said in a Thursday blog post.

The audio driver was designed to identify when a special key on the PC was used. But in reality, the software will capture all the keystrokes and write them in an unencrypted file located on the laptop.

The problematic driver is called MicTray64.exe — versions 1.0.0.31 through 1.0.0.46 are known to be affected. The logged keystrokes are written either to the world-readable file C:\Users\Public\MicTray.log or through the OutputDebugString API. The latter can be observed using Microsoft's debugview utility.

The Modzero website has the technical details.

ThreatPost adds:

ModZero is warning the issue (CVE-2017-8360) could lead to the leaking of sensitive user information, such as passwords. Anyone with access to the unencrypted file system could recover the data. Furthermore, since the program isn't considered malicious, malware authors wouldn't have trouble capturing victim's keystrokes either. Researchers say the keylogger comes registered as a Microsoft Scheduled Task, so it runs after each user login. While the file is overwritten each time, ModZero says it could easily be recruited by a running process or analyzed by someone with forensic tools.

Researchers surmised the software has been recording keystrokes since version 1.0.0.31 was released, on Christmas Eve 2015, but stress that the same problem exists in the most recent version, 1.0.0.46, released last October.

ModZero also warns the audio driver comes installed on a slew of HP machines, including its EliteBook, Elite x2, ProBook, and ZBook lines, but could exist in other machines. The company also delivers audio drivers for Dell, Lenovo, and Asus machines although at this point it's not certain they feature the same audio driver.

The firm says the following HP products are affected however:

  • HP EliteBook 820 G3 Notebook PC
  • HP EliteBook 828 G3 Notebook PC
  • HP EliteBook 840 G3 Notebook PC
  • HP EliteBook 848 G3 Notebook PC
  • HP EliteBook 850 G3 Notebook PC
  • HP ProBook 640 G2 Notebook PC
  • HP ProBook 650 G2 Notebook PC
  • HP ProBook 645 G2 Notebook PC
  • HP ProBook 655 G2 Notebook PC
  • HP ProBook 450 G3 Notebook PC
  • HP ProBook 430 G3 Notebook PC
  • HP ProBook 440 G3 Notebook PC
  • HP ProBook 446 G3 Notebook PC
  • HP ProBook 470 G3 Notebook PC
  • HP ProBook 455 G3 Notebook PC
  • HP EliteBook 725 G3 Notebook PC
  • HP EliteBook 745 G3 Notebook PC
  • HP EliteBook 755 G3 Notebook PC
  • HP EliteBook 1030 G1 Notebook PC
  • HP ZBook 15u G3 Mobile Workstation
  • HP Elite x2 1012 G1 Tablet
  • HP Elite x2 1012 G1 with Travel Keyboard
  • HP Elite x2 1012 G1 Advanced Keyboard
  • HP EliteBook Folio 1040 G3 Notebook PC
  • HP ZBook 17 G3 Mobile Workstation
  • HP ZBook 15 G3 Mobile Workstation
  • HP ZBook Studio G3 Mobile Workstation
  • HP EliteBook Folio G1 Notebook PC

Other coverage:
Ars Technica.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Rich on Saturday May 13 2017, @02:05AM (7 children)

    by Rich (945) on Saturday May 13 2017, @02:05AM (#508954) Journal

    fire all the Devs and replace them with DevOps can only think in terms of logging everything into the big data cloud

    Except this isn't the customer complaint portal of a second rate insurance sales shop, where they deploy an untested docker image after a couple of "hot fixes" with a single mouse click into the "production cloud", but a kernel driver. There's a solid amount of competence required to write one of those. I have a hard time believing that a developer able to deliver such stuff isn't aware of the consequences: This is a flaw that allows to skim the passwords of half the world's corporate environments with a non-persistent, non-superuser intrusion(e.g. a browser-driveby), without trace.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Saturday May 13 2017, @02:24AM

    by Anonymous Coward on Saturday May 13 2017, @02:24AM (#508959)

    a kernel driver. There's a solid amount of competence required to write one of those.

    Hahahahaha! Oh god that's funny. If competence were required there wouldn't be any kernel panics and tools like kmemtrace wouldn't even exist.

  • (Score: 4, Insightful) by Chromium_One on Saturday May 13 2017, @02:25AM (5 children)

    by Chromium_One (4574) on Saturday May 13 2017, @02:25AM (#508960)

    This is a flaw that allows to skim the passwords of half the world's corporate environments with a non-persistent, non-superuser intrusion(e.g. a browser-driveby), without trace.

    That has to be the entire point. Bonus points that it's deniable because it looks like incontinence.

    --
    When you live in a sick society, everything you do is wrong.
    • (Score: 3, Funny) by unitron on Saturday May 13 2017, @03:08AM (2 children)

      by unitron (70) on Saturday May 13 2017, @03:08AM (#508972) Journal

      Bonus points that it's deniable because it looks like incontinence.

      Or even incompetence.

      : - )

      --
      something something Slashcott something something Beta something something
      • (Score: 2) by Phoenix666 on Saturday May 13 2017, @03:27AM

        by Phoenix666 (552) on Saturday May 13 2017, @03:27AM (#508978) Journal

        Nah, it's funnier the other way.

        --
        Washington DC delenda est.
      • (Score: 0) by Anonymous Coward on Saturday May 13 2017, @12:11PM

        by Anonymous Coward on Saturday May 13 2017, @12:11PM (#509109)

        That's just taking the piss.

    • (Score: 2) by Bot on Saturday May 13 2017, @11:25AM (1 child)

      by Bot (3902) on Saturday May 13 2017, @11:25AM (#509091) Journal

      I agree, it looks like an intentional backdoor dressed up as an oops.

      Why on earth would you need to log keystrokes to a file. Is your keyboard events handling routine sooooo complex that console debug output is insufficient? does not make sense.

      OTOH it is not fair that windows gets to log and collect all keystrokes and poor third parties don't.

      The term incontinence is OK given we are leaking info.

      --
      Account abandoned.
      • (Score: 2) by RamiK on Saturday May 13 2017, @12:25PM

        by RamiK (1813) on Saturday May 13 2017, @12:25PM (#509112)

        No stdout for dll drivers.

        And I can even guess why they had both the debug APIs and the log: They likely tested different keyboard configurations (laptop's, usb tenkeyless, usb 104, multi-lang...) on non-production machines and didn't want to install a remote debugger just for some quick tests.

        --
        compiling...