Security vulnerabilities have become a major bottleneck in the hardware and software industry. In fact, software vulnerabilities happen daily, in too many places at once to keep count. Speaking of which, SafeBreach, a popular security research firm, discovered a critical vulnerability that exploits a bug in Open Hardware Monitor. This bug infects the Windows PCs that run software based on Open Hardware Monitor. HP TouchPoint Analytics, which is one of the most commonly used software makes use of the Open Hardware Monitor Tool and runs on about millions of HP laptops and desktops worldwide.
This, in turn, puts millions of users at risk. HP, has however, fixed the vulnerability with a security patch after being informed of the flaw. But, other firms using the Open Hardware Monitor tool is still at stake. In case you aren’t aware of Open Hardware Monitor, it’s a free open source software program that keeps a check on temperature sensors, fan speeds, voltages, load and clock speeds of a computer.
What made this flaw potentially dangerous is that Hp TouchPoint Analytics come loaded as “signed devices” so they are “whitelisted” by the anti-malware tools. For this particular vulnerability, HP TouchPoint Analytics had a high, root-level system access that enabled hackers to perform privilege escalation and get access to critical parts of the system.
Furthermore, hackers can exploit the Open Hardware Monitor’s driver which consists of highest level of privileges in the operating system and can easily read and write to hardware memory.
“These types of vulnerabilities are alarming because they indicate the ease with which malicious hackers could mount supply-chain attacks targeting and breaching highly trusted elements of our software ecosystem. And this should be a clear signal to security teams that they need to increase their frequency of testing and analysis of their security envelope in order to match the pace of criminals who are constantly innovating ways to hack into the most vulnerable parts of IT systems,” says Itzik Kotler, CTO and Co-Founder at SafeBreach.
[“source=mashable”]