HP has issued security patches for more than 460 models of the company's laptops and thin clients to address a hidden keylogger present in the Synaptics touchpad drivers. Discovered by security researcher Michael Myng while delving into the Synaptics Touchpad Software in an attempt to change the backlight behavior of the keyboard, the keylogger was reportedly built into the software stack to debug errors. While it shipped to customers disabled by default, an attacker that was able to achieve administrative privileges could change the appropriate registry value and enable keylogging to locally record all of the user's keystrokes without their knowledge. Further malicious code or local physical access could then be used to retrieve data for analysis of possible passwords, usernames, account numbers, and other personal information.
Image courtesy Robbert van der Steeg via Flickr Creative Commons
HP claims in its security bulletin that at no time did it or Synaptics have access to customer data and that this security vulnerability is a "local loss of confidentiality" and should be acted upon as soon as possible by downloading the security patch for your laptop from HP or by running Windows Update.
According to the HP security bulletin, the vulnerability reportedly affects all Synaptics OEM partners including HP that have shipped systems with certain Synaptics Touchpad driver versions. In the case of HP this includes commercial / enterprise notebooks, tablets, thin clients, and mobile workstations from their G2, G4, G6, Elite X2, EliteBook, Thin Client, ProBook, Spectre Pro, Stream, X360, and ZBook Mobile Workstation series and consumer devices with Compaq, Beats, ENVY, OMEN, Pavilion, Spectre, Split, Stream, and even the 15" Star Wars Special Edition laptop!
While this is a serious security risk, there is no need to panic. You should apply the patch manually or through Windows Update as soon as possible, but so long as you have been and continue to follow security best practices (strong passwords, running anti-virus and anti-malware scans regularly, restricting physical access, and not running as administrator on your daily driver user account, ect) you should be safe as there are several steps that would need to be completed before an attacker could take advantage of this hidden keylogger, especially remotely.
You can find the full list of affected laptops and their associated security patches on HP's support website. For a PGP signed version of the page you can email firstname.lastname@example.org.