Sure. You can't easily replace the driver with a self-written, malicious driver without exploiting some sort of deep Windows vulnerability. However, executable code can perform all manner of mischief without being a driver. Anyway, I don't think HP's TechOps underachievement is going to convince anyone to switch their browser. Instead, HP'll just have someone spend a week or two setting up an HTTPS file server and everyone will move on. It's better for their users and it's less effort than trying to have a battle to defend FTP of all things.