ADVISORY: Install HP patch to remove keylogger

An audio driver installed on some 2015 and 2016 Hewlett-Packard (HP) laptops contains a feature that records every keystroke the user makes and stores this information in an unencrypted log file. HP has released patches to remove the keylogger and delete the log file. The patches, available via Windows Update and from HP.com, should be applied as soon as possible after appropriate testing.

The pre-installed audio driver puts an executable file in the Windows system folder that is scheduled to start every time the user logs in and to capture and log all keystrokes. The file is intended for use in controlling audio hardware when a user presses special keys, and the keylogger appears to have been intended for debugging. The log file, which is overwritten every time the user logs out, is located at C:\Users\Public\MicTray.log. If, however, any kind of incremental backup system is in place, there could be an ongoing record of everything the user types, including passwords.

A person or malicious software with local access to the user's files on an affected computer could obtain passwords, visited web addresses, private messages, and any other sensitive information that the user has typed.

Check to see if C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed.

• Apply patches to affected laptops when available. As of 10:00 a.m. May 12, patches for 2016 models are available. Patches for 2015 models are expected by the end of the day. Check for patches at:
  • Windows Update
  • HP.com (you may need to enter your model number)
• If patches are not yet available for an affected device, you can do the following in the meantime:
  • Check to see if C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed.
  • If you find one of the files listed above, delete it to prevent it from logging keystrokes. Be aware that this will stop certain special keys from working.
  • Also delete the C:\Users\Public\MicTray.log file; it may contain sensitive information such as passwords and login credentials.

According to the ModZero security advisory: "Conexant's MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. It monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys. Monitoring of keystrokes is added by implementing a low-level keyboard input hook function that is installed by calling SetwindowsHookEx(). In addition to the handling of hotkey/function key strokes, all key-scancode information is written into a logfile in a world-readable path (C:\Users\Public\MicTray.log)."

For more detail, see the ModZero security advisory.

MiWorkspace machines will be updated as soon as possible. If you have an affected device that is not managed by the university, please check for updates via Windows Update or HP.com and apply them.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.

• HP issues fix for 'keylogger' found on several laptop models (ZDNet, 5/12/17)
• HP shipped laptops with a keylogger installed, security firm reveals (Wired, 5/12/17)
• HP laptops covertly log user keystrokes, researchers warn (Ars Technica, 5/11/17)
• Keylogger discovered preinstalled on some HP laptops (CNet, 5/11/17)
• Keylogger in Hewlett-Packard Audio Driver (Modzero, 5/11/17)
• ModZero  Security  Advisory:  Unintended/Covert Storage Channel for sensitive data in Conexant HD Audio Driver Package. [MZ-17-01]