A keylogging vulnerability has been discovered in HP laptop’s audio driver, says the independent Swiss security firm Modzero.

The security concern stems from the way the audio driver handles inputs from media control keys. The driver process, called MicTray64.exe, records when media keys are pressed and change settings accordingly.

This is harmless on its own, but the problem is that the driver also writes keystrokes to a text file called MicTray.log. If the file is obtained, the attacker can extract personal information such as passwords and credit card numbers.

The situation is made worse when the MicTray.log is not created or doesn’t exist. In that case, all keystrokes are passed off to the OutputDebugString API, which allows any process in the Current User context to obtain keystrokes real-time without being detected by the antivirus.

Affected models include:

  • HP EliteBook 820 G3 Notebook PC HP EliteBook 828 G3 Notebook PC
  • HP EliteBook 840 G3 Notebook PC HP EliteBook 848 G3 Notebook PC
  • HP EliteBook 850 G3 Notebook PC HP ProBook 640 G2 Notebook PC
  • HP ProBook 650 G2 Notebook PC HP ProBook 645 G2 Notebook PC
  • HP ProBook 655 G2 Notebook PC HP ProBook 450 G3 Notebook PC
  • HP ProBook 430 G3 Notebook PC HP ProBook 440 G3 Notebook PC
  • HP ProBook 446 G3 Notebook PC HP ProBook 470 G3 Notebook PC
  • HP ProBook 455 G3 Notebook PC HP EliteBook 725 G3 Notebook PC
  • HP EliteBook 745 G3 Notebook PC HP EliteBook 755 G3 Notebook PC
  • HP EliteBook 1030 G1 Notebook PC HP ZBook 15u G3 Mobile Workstation
  • HP Elite x2 1012 G1 Tablet
  • HP Elite x2 1012 G1 with Travel Keyboard
  • HP Elite x2 1012 G1 Advanced Keyboard
  • HP EliteBook Folio 1040 G3 Notebook PC
  • HP ZBook 17 G3 Mobile Workstation
  • HP ZBook 15 G3 Mobile Workstation
  • HP ZBook Studio G3 Mobile Workstation
  • HP EliteBook Folio G1 Notebook PC

Affected Operating Systems include:

  • Microsoft Windows 10 32
  • Microsoft Windows 10 64
  • Microsoft Windows 10 IOT Enterprise 32-Bit (x86)
  • Microsoft Windows 10 IOT Enterprise 64-Bit (x86)
  • Microsoft Windows 7 Enterprise 32 Edition
  • Microsoft Windows 7 Enterprise 64 Edition
  • Microsoft Windows 7 Home Basic 32 Edition
  • Microsoft Windows 7 Home Basic 64 Edition
  • Microsoft Windows 7 Home Premium 32 Edition
  • Microsoft Windows 7 Home Premium 64 Edition
  • Microsoft Windows 7 Professional 32 Edition
  • Microsoft Windows 7 Professional 64 Edition
  • Microsoft Windows 7 Starter 32 Edition
  • Microsoft Windows 7 Ultimate 32 Edition
  • Microsoft Windows 7 Ultimate 64 Edition
  • Microsoft Windows Embedded Standard 7 32
  • Microsoft Windows Embedded Standard 7E 32-Bit

Luckily, removal is simple:

  1. Close MicTray64.exe in Task Manager
  2. Navigate to C:\Windows\System32\MicTray64.exe and move the file to Desktop
  3. Check if C:\Users\Publix\MicTray.log exists. If so, move it to your desktop
  4. Check the log file to see if it contains any login information. If so, change them immediately.

 

Source: Modzero