Acer May Be Bugging Computers

tomjen writes "What if a well known laptop company had silently placed an ActiveX Control on their computers that allowed any webpage to execute any program? Well Acer apparently has and they have (based on the last modified-by date of the file) been doing this since 1998. 'Checking the interface of the control reveals it has a method named "Run()" as shown below. The method supports parameters "Drive", "FileName", and "CmdLine". Isn't it strange for a control that's marked "safe for scripting" to allow a method that is suggestive of possible abuse?'"

Re:The 4th USB port

[mallardtheduck]

Could just be there for optional "built-in" bluetooth or Wifi. A USB module is probably cheaper than an Mini-PCI.
Plus, if they do no wireless, Wifi-only and Wifi+BT models, with a single Mini-PCI slot, they would need both Wifi and Wifi+BT cards, if they have a "hidden" USB port, they only need to stock Wifi mini-PCI cards and USB bluetooth adapters, the same adapters that are sold independently.

Lessons learned...

1) Whenever possible, build your own.

2) When you can't build your own (laptops), *always* re-install your OS after purchasing a new computer, and for God's sake use a real install CD and not the recovery one provided by the manufacturer.

Re:On behalf of Acer

[sunwukong]

But do you know they haven't placed a rootkit on the preinstalled Linux?

Wider scope

[msobkow]

Intel had to allow people to disable CPU ids.

Why is Microsoft allowed to "embed" an id string like the WGA identifiers that allow them to identify and traceback any individual who does an update of LEGALLY LICENSED SOFTWARE?!?!?

Why do I see a 3 year backlog of error/debug messages in certain WinXP system log files, and receive advice on how to disable error logging instead of someone FIXING THE PROBLEM?

Re:present on Aspire 1690

[Staale+Nordlie]

Why not just create a website that will use this vulnerability to run this "unregister" command on our machines and eliminate the vulnerability? I copied the command posted by valeurnutritive into the html demonstration code from the article. Worked just fine as far as I can tell. It has a certain poetry to it. :)

<html>
<body>
<object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3A A" id="hahaha">
</object>
<script>
hahaha.Run("c", "\\windows\\system32\\regsvr32.exe -u lunchapp.ocx", "");
</script>
</html>
</body>

Re:@mozilla.org/process/util;1

[h2g2bob]

Exactly, that's for extensions (and the browser itself) and is protected from execution by web pages. Exploits to either firefox or it's extensions or themes can lead to pwnage (same as any internet-capable program).

The difference between ie activex and fx extensions is that firefox encourages you to go through addons.mozilla.org, for which all the extensions are reviewed (though I don't know how thoroughly) and update automatically (eg if exploits are found).

Re:to those of us uneducated

[PAjamian]

Since Acer would presumably have the power to control any aspect of your computer when you use it to log onto any webpage, all they need to do is to wait for you to access a site under their control, and bingo, they can lift all of your installation logs, cookies, saved passwords, MS WORD docs containing the words 'budget; personal; finance; medical; records; debt; sex, SSN (and all applicable variants),etc.
 
OK, let's say you are gullible enough to think that they can take all of that they want, and still not put you at risk - now, think for just a moment about who 'they' are...? What are the odds of 'they' going to all that trouble and not having some plan to do something with what they glean that you will not be pleased with...? Still not impressed?
 
How's this... Acer sits around and waits for just the right time and boom - they toggle a flag on your computer that makes it appear that it needs to have XYZ repaired, and what do you know, the only resource is...ACER!! I doubt their intentions are anything so malicious. TFA states that this control is from back in 1998. Back then internet security wasn't as big of a concern as it is now. They probably put the control in place with the intention that they could use it to launch a help-desk application or run commands for repairing the computer remotely (ie from a help desk tech). Maybe have knowledge base articles that link to pages that automatically run the repairs needed. The active-x control can certainly do all this easily. It's not too far fetched to think that they would have forgotten about it after that and not even thought to remove it from future releases.

There is an old saying (paraphrased, I don't recall the exact quote), "Never attribute to malice what can be explained by incompetence." I think this is just a case of gross incompetence, but not malice.

Re:Phew!

[DaveCar]

Heh, if you're the kind of anal-retentive who runs Debian then you'd probably have an problem with which version of Debian they installed. Then the kernel version, then the desktop environment ... if you want to run Debian it is probably easier on everyone if you just install it yourself ...

I run Debian ;-)

Re:I'm not impressed with this IE7 "improvement"

[FireFury03]

You may be shocked to realize that Firefox plugins and extensions don't run in any sandbox at all. They in fact have access to any resource Firefox has, which on a Windows machine is usually administrator capabilities.

You don't need to sandbox the plugin itself - you need to sandbox any code the plugin downloads and executes. For example, a Java VM plugin is not in a sandbox, however *it* sandboxes the bytecode itself - the VM restricts what the code can do. On the other hand, ActiveX failed to do this since it provided functions to access every aspect of the host environment.

So this isn't anything to do with insecurities in the browser, this is down to insecurities in the plugin. Any firefox plugin that allows anything downloaded from the web to execute arbitrary commands on the host would be considered similarly insecure.