HP has rolled out security update to fix the Synaptics Touchpad debug tool security issue impacting about 460 models of HP laptop, chief technologist Mike Nash told CRN USA.
Nash cautioned partners to make sure that the Synaptics debug tool issue was not affecting laptop products from other OEM partners.
"We have worked with Synaptics to address this issue with new drivers that remove this code," said Nash. "We fixed it. We have a fix at HP.com. What I don't know is for the other companies also using Synaptics if their devices have had the fixes made available and deployed."
Nash said the debug tool issue was reported by a security researcher in August and HP began working immediately with Synaptics to provide software updates for the impacted Touchpad drivers.
HP issued a support communication security bulletin on 7 November titled: "Synaptics Touchpad Driver Potential, Local Loss of Confidentiality" with security updates.
"For every device that was affected there is a driver on HP.com that corrects the problem," said Nash.
The majority of the HP security updates have been marked as "critical" on Windows Update so that they get installed automatically, said Nash. The remaining updates will be marked as critical and automatically provided on Windows update within the next week, he said.
Synaptics, for its part, said in a Synaptics Touchpad Driver Security Brief that "using a standardised risk scoring system, the Common Vulnerability Scoring System (CVSS), this debug tool scores approximately 2 out of 10, and is classified as a low risk".
That said, the company noted, that in today’s "heightened sensitivity to security and privacy, Synaptics will take the precautionary steps of defeaturing the debug tool for production drivers to further prevent the tool from being used in an unintended and malicious way".
Furthermore, Synaptics said it is "working closely with our PC customers to update drivers and to deploy them to address security concerns
Synaptics also recommended "best practices" that restrict "Admin access to any system as anyone with this level of access can potentially install malware or other anti-privacy software irrespective of whether the debug tool is on or off."
Synaptics also apologized for any "concerns" that the debug tool may have raised. "We have a path to immediately address this issue and other security concerns should they arise," the company said.
Synaptics said some articles that catergorised the debug tool issue as keylogger were inaccurate. "Our debug tool was mischaracterised in the articles as 'keylogger'," said the company.
Nash said there was a "lot of misinformation out there that made people more worried than they needed to be".
The reality, Nash said, was the debugging code in the HP laptops was "almost in every case off by default."
Furthermore, he said, the debugging tool was not "storing data into a file", but rather kept in a "memory buffer" only used for debugging. Typically, that debugger captures about "40 seconds" of typing, said Nash, and if you reboot the laptop or it goes to sleep the "buffer is wiped out".