HP Chief Technologist Mike Nash Wednesday told CRN that the Synaptics Touchpad debug tool security issue impacting about 460 HP laptops has been "fixed" with security updates.
At the same time, Nash cautioned partners to make sure that the Synaptics debug tool issue is not affecting the laptop products from other OEM partners.
"We have worked with Synaptics to address this issue with new drivers that remove this code," said Nash. "We fixed it. We have a fix at HP.com. What I don't know is for the other companies also using Synaptics if their devices have had the fixes made available and deployed."
Nash told CRN that the debug tool issue was reported by a security researcher in August and HP began working immediately with Synaptics to provide software updates for the impacted Touchpad drivers.
HP issued a support communication security bulletin on November 7 titled: "Synaptics Touchpad Driver Potential, Local Loss of Confidentiality" with security updates. "For every device that was affected there is a driver on HP.com that corrects the problem," said Nash.
The majority of the HP security updates have been marked as "critical" on Windows update so that they get installed automatically, said Nash. The remaining updates will be marked as critical and automatically provided on Windows update within the next week, he said.
Synaptics, for its part, said in a Synaptics Touchpad Driver -Security Brief that "using a standardized risk scoring system, the Common Vulnerability Scoring System (CVSS), this debug tool scores approximately 2 out of 10, and is classified as a low risk."
That said, the company noted, that in today’s "heightened sensitivity to security and privacy, Synaptics will take the precautionary steps of defeaturing the debug tool for production drivers to further prevent the tool from being used in an unintended and malicious way."
Furthermore, Synaptics said it is "working closely with our PC customers to update drivers and to deploy them to address security concerns."
Synaptics also recommended "best practices" that restrict "Admin access to any system as anyone with this level of access can potentially install malware or other anti-privacy software irrespective of whether the debug tool is on or off."