May 11, 2017

HP says it has a fix for flaw that caused some PCs to log every keystroke

Ina Fried

HP says it has a fix for a flaw that caused a number of its PC models to keep a log of each keystroke a customer was entering. The issue, caused by problematic code in an audio driver, affected PC models from 2015 and 2016.

A fix for 2016 models was released today via Windows Update, while a fix for 2015 models will be released tomorrow on both Windows Update and HP's Web site, HP Vice President Mike Nash told Axios.

Why it matters: Although HP never accessed the data and the logs weren't sent anywhere, just having them created a security threat. The fix not only deletes the key-logging code but also the files that stored keystrokes. (However, in theory customers using PC backup software might have copies elsewhere.)

Nash said that the code was debugging code that was inadvertently left in by Conexant, the company that made the audio driver, and should never have been included on shipping PCs. There was never an intent to have such software or collect any user data, he said.

"It was something that was there in development process and should have bene removed," Nash said.

Affected computers include various HP EliteBook, ProBook and Zbook models.

Security firm Modzero released an advisory on the issue earlier on Thursday, but had previously notified HP and Conexant and Nash said HP has been developing a fix before the advisory was released.

Go deeper