Slashdot Mirror

← Back to Stories (view on slashdot.org)

Acer May Be Bugging Computers

Posted by Zonk on from the might-want-to-look-into-this dept.

tomjen writes "What if a well known laptop company had silently placed an ActiveX Control on their computers that allowed any webpage to execute any program? Well Acer apparently has and they have (based on the last modified-by date of the file) been doing this since 1998. 'Checking the interface of the control reveals it has a method named "Run()" as shown below. The method supports parameters "Drive", "FileName", and "CmdLine". Isn't it strange for a control that's marked "safe for scripting" to allow a method that is suggestive of possible abuse?'"

6 of 396 comments (clear)

  1. Re:The 4th USB port by mallardtheduck · · Score: 4, Insightful

    Could just be there for optional "built-in" bluetooth or Wifi. A USB module is probably cheaper than an Mini-PCI.
    Plus, if they do no wireless, Wifi-only and Wifi+BT models, with a single Mini-PCI slot, they would need both Wifi and Wifi+BT cards, if they have a "hidden" USB port, they only need to stock Wifi mini-PCI cards and USB bluetooth adapters, the same adapters that are sold independently.

  2. Lessons learned... by Anonymous Coward · · Score: 5, Insightful

    1) Whenever possible, build your own.

    2) When you can't build your own (laptops), *always* re-install your OS after purchasing a new computer, and for God's sake use a real install CD and not the recovery one provided by the manufacturer.

  3. Re:On behalf of Acer by sunwukong · · Score: 5, Insightful

    But do you know they haven't placed a rootkit on the preinstalled Linux?

  4. Wider scope by msobkow · · Score: 4, Insightful

    Intel had to allow people to disable CPU ids.

    Why is Microsoft allowed to "embed" an id string like the WGA identifiers that allow them to identify and traceback any individual who does an update of LEGALLY LICENSED SOFTWARE?!?!?

    Why do I see a 3 year backlog of error/debug messages in certain WinXP system log files, and receive advice on how to disable error logging instead of someone FIXING THE PROBLEM?

    --
    I do not fail; I succeed at finding out what does not work.
  5. Re:present on Aspire 1690 by Staale+Nordlie · · Score: 5, Insightful

    Why not just create a website that will use this vulnerability to run this "unregister" command on our machines and eliminate the vulnerability? I copied the command posted by valeurnutritive into the html demonstration code from the article. Worked just fine as far as I can tell. It has a certain poetry to it. :)

    <html>
    <body>
    <object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3A A" id="hahaha">
    </object>
    <script>
    hahaha.Run("c", "\\windows\\system32\\regsvr32.exe -u lunchapp.ocx", "");
    </script>
    </html>
    </body>
  6. Re:@mozilla.org/process/util;1 by h2g2bob · · Score: 5, Insightful

    Exactly, that's for extensions (and the browser itself) and is protected from execution by web pages. Exploits to either firefox or it's extensions or themes can lead to pwnage (same as any internet-capable program).

    The difference between ie activex and fx extensions is that firefox encourages you to go through addons.mozilla.org, for which all the extensions are reviewed (though I don't know how thoroughly) and update automatically (eg if exploits are found).