Researcher Michael Myng found a deactivated keylogger in a piece of software found on over 460 HP laptop models. The keylogger was built into the software which controls the Synaptics touchpads used by the affected HP laptops, and was originally meant to help engineers to find and fix bugs in the software, according to HP.
The discovery comes just seven months after a similar keylogger was found inside HP's preinstalled audio drivers. While few home users would be likely to turn it on, it would be a tasty exploit for RAT (remote access trojan) herders. The keylogger is deactivated by default but could represent a privacy concern if an attacker has physical access to the computer. However, without having an HP laptop of his own, he couldn't look as deeply as he wanted to, the post said. A patch has since been released that removes the keylogger, but users must update their machines to get it.
The bug was disclosed by "ZwClose", who was looking through the driver to see if he could adjust the backlighting of HP laptop keyboards. HP said at the time that the keylogger software has been "mistakenly" added to the drivers.
In a statement, the company said: "HP uses Synaptics' touchpads in some of its mobile PCs and has worked with Synaptics to provide fixes to their error for impacted HP systems, available via the security bulletin on".
HP acknowledged the issue, and issued updated firmware for more than 173 commercial products and over 293 consumer products.
A party would need administrative privileges in order to take advantage of the vulnerability. According to ZwClose, the update will be automatically delivered via Windows Update as well.