HP HAS issued an update for hundreds of laptops and notebooks which removes a keylogger accidentally left in place within the driver for the touchpad.
The Synaptics Touchpad driver included a SynTP.sys file which contained a debugging script that could easily have been turned into a keylogger with one simple registry change - turning it from off to on.
All it would take to enable it would be for a hacker to change the key after bypassing Universal Account Control (UAC) - which as security functions go has absolutely no teeth as it is incredibly easy to fool.
The result would be a change completely undetectable by anti-malware software because it would leave the kernel's digital signature unchanged.
Bleeping Computer reports that the issue was uncovered by security researcher Michael Myng who explained: "The keylogger saved scan codes to a WPP trace" refers to a process designed for debugging only and not for the public. It should have been long removed.
What's particularly worrying is that this is the second strike for HP which did exactly the same thing with an audio driver earlier this year.
The support page on HP's site explains: "A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue."
This is followed by the list of some 475 models affected by the bug including OMEN, ENVY, Pavilion, Stream, ZBook, EliteBook and ProBook. Also included are some Compaq models.
Myng included a full explanation for developers. In it, he states that after reporting the issue to HP they moved "incredibly fast".
At this point the "tin foil hat" brigade noted that in fact, HP's T&Cs would have allowed the keylogger in any case. µ
Much a (dil)do about nothing
Neither the time nor the face
The tiny tweaks are coming thick and fast now
Gitting more secure