Acer May Be Bugging Computers

tomjen writes "What if a well known laptop company had silently placed an ActiveX Control on their computers that allowed any webpage to execute any program? Well Acer apparently has and they have (based on the last modified-by date of the file) been doing this since 1998. 'Checking the interface of the control reveals it has a method named "Run()" as shown below. The method supports parameters "Drive", "FileName", and "CmdLine". Isn't it strange for a control that's marked "safe for scripting" to allow a method that is suggestive of possible abuse?'"

Re:Phew!

[east coast]

you're missing the point. what happens on the day that they start putting out linux and simply "make things easier for the end user" by circumventing some common sense security measures?

Re:The 4th USB port

[mallardtheduck]

Could just be there for optional "built-in" bluetooth or Wifi. A USB module is probably cheaper than an Mini-PCI.
Plus, if they do no wireless, Wifi-only and Wifi+BT models, with a single Mini-PCI slot, they would need both Wifi and Wifi+BT cards, if they have a "hidden" USB port, they only need to stock Wifi mini-PCI cards and USB bluetooth adapters, the same adapters that are sold independently.

Re:The 4th USB port

[starwed]

When I bought a USB2 PCI card for my desktop, most models had a single internal USB port as well as all the external ones. I think this is pretty common, and nothing nefarious.

Lessons learned...

[Anonymous Coward]

1) Whenever possible, build your own.

2) When you can't build your own (laptops), *always* re-install your OS after purchasing a new computer, and for God's sake use a real install CD and not the recovery one provided by the manufacturer.

Re:Isn't it a little bit naive

[Telvin_3d]

While I agree with you in general paranoid principle, I think the last bit is a little naive. It's like saying that if you want to have a safe house, you should be able to build your own in order to make sure there is no secret explode-on-remote-command hardware installed. Yes, people need to pay a little attention, but this type of shit is above and beyond anything that should be expected.

P.S. I want to see Holmes on Homes run across a secret explode-on-remote-command thing in an episode. That would make my week.

Easy fix for this problem

[Shadyman]

1. Format your hard disk 2. Install Linux 3. Return your Windows for a refund (Profit!)

Re:Wow

[codepunk]

Well considering they are the creators of the almighty active x control that allows unsafe code execution in a browser, I would say yes he is suggesting that.

And he would be absolutely correct, well acer is not exactly off the hook here either.

Re:Wow

[willyhill]

I love that someone modded you up. So, if I give you a box of matches and you set fire to your house on purpose, you'd blame me? Kind of like people who pour hot coffee on themselves and file a lawsuit for a million bucks, right?

acer is not exactly off the hook here either.

That's an interesting way to put it. But I guess that's the only way to rationalize it if you were desperate enough to pin this on Microsoft for some reason.

Re:And now that it's publicized...

[Bargearse]

I doubt it would be eligible for a bounty, as it won't run under Vista's default configuration. It can be made to run though :)

Re:Easy fix for this problem

[black hole sun]

Of course simply deleting the file in question is just way too off-the-wall for most users.

Re:Isn't it a little bit naive

[jawtheshark]

I believe that everyone who has a flashing 12:00 on their VCR/DVD player should be fined until they know how to fix it.

I've got a flashing 0:00 on my stereo and I'm a computer programmer. Do I know how to set it to the correct time? Sure! Thing is, the clock resets whenever the electricity goes out. It's not that it happens that much, but there was a period here (I think they were working on the grid) that it failed for a minute every few days. I got sick 'n tired of putting in back the time and that is why it's still flashing.

According to you, I should get fined.

It will never change: a computer can do no "big harm" (according to the public) as can a grill combined with gasoline. Sure, idenitity theft, aiding spambot networks, and "degraded performance" are things that these no-technical people can and will experience but none of these exactly "harms them". At least not in the short term, because long term is not in their scope. Sure, worst case they get their identity stolen, but they will not "link" this to "bad security habits" they had in the past: it will be the "Evil Hackers" that did it. (Exactly "How" is magic to them, and to them they did nothing wrong) It's a bit like coming home and finding that your dog pooped in your slippers. You hold his nose into the poop to "teach him a lesson", alas, the poor dog doesn't understand the punishment because he pooped there hours ago and doesn't link the punishment with the "offense". (Note, I don't have a dog and I only heard that this. Don't take it as a "fact" but as an illustration.)

I used to be for a "internet capability license", but I just ditched that idea. I had the unfortunate experience to teach "initiation to information technology" (=Glorified Word course) to 13 year olds in a "technical school". Now, you have a bunch of 13 year olds that don't even know how to use a keyboard correctly! Sure, that should have been the first thing I should have explained, but I didn't know better! I was in the illusion that keyboards were self-explaining. (Hint: they are not) So, they all know how to surf (with Flash games and MySpace-style homepages being favourites) but they type their capital letters by pushing in "Caps Lock" then pushing the letter they want and then pushing "Caps Lock" again. These habits are hard to get out, because they have been doing this forever at home.

The general "computing public" is no more than these 13 year olds, and worse: those 13 year olds will learn eventually because they are young and their minds still absorb a lot. Now, for adults, the picture is not so rosy.

Hey, I don't care anymore! I've gone back to IT, and am happy with people that know shit: Because of [slashdot.org] this [slashdot.org]

On behalf of Acer

[Qbertino]

Acer is one of the 'big name' Laptop producers that actually sell Laptops with Linux preinstalled that are generally available and visible [alternate.de] and don't require placement of a special order at headquarters overseas. And they let you notice the price difference to the same models with Windows on them.
Solution to this 'bug': If you buy an Acer, by one that comes with Linux.

Re:Phew!

[KDR_11k]

Those with their model numbers containing an N ship with Linux (e.g. TravelMate 2482NWXMI). A local PC store has them, they list the OS as "Linpus Linux". I doubt that you'll see them stocked by many retailers, though.

Re:On behalf of Acer

[sunwukong]

But do you know they haven't placed a rootkit on the preinstalled Linux?

Re:Wow

[willyhill]

Maybe it would make more sence if you were a three or four year old kid fascinated with fire and we gave the matches to you.

Funny you mention that, because I think that's the level of cognitive awareness needed to turn this into a "it's all Microsoft's fault" debate.

And actualy the lawsuite for spilt coffee and a million bucks entailed the coffee being so hot it melted the cup

Yes, well. Would you rather I use another example of a frivolous lawsuit? There's lots of them to go around.

This type of stuff shouldn't be able to happen after how many exploits causing malicious harm to computers.

I don't understand this. Are you saying it's Microsoft's fault, or that Acer is less culpable?

I can do lots of bad stuff with an XPI extension, like turn your machine into a spam zombie, download kiddie porn and randomly delete your documents. Would you mind much if I blame the Mozilla foundation for things like that?

Multiple Angles

[splutty]

This is getting to be way off topic, but seriously. It seems you don't know the primary reason of existence for DVDs, which is something that the multi angle button is used in quite a lot.

Of course I'm talking about the driving force behind almost all new electronical inventions, the Pr0N.

Wider scope

[msobkow]

Intel had to allow people to disable CPU ids.

Why is Microsoft allowed to "embed" an id string like the WGA identifiers that allow them to identify and traceback any individual who does an update of LEGALLY LICENSED SOFTWARE?!?!?

Why do I see a 3 year backlog of error/debug messages in certain WinXP system log files, and receive advice on how to disable error logging instead of someone FIXING THE PROBLEM?

Re:present on Aspire 1690

[Staale Nordlie]

Why not just create a website that will use this vulnerability to run this "unregister" command on our machines and eliminate the vulnerability?

I copied the command posted by valeurnutritive into the html demonstration code from the article. Worked just fine as far as I can tell. It has a certain poetry to it. :)

<html>
<body>
<object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3A A" id="hahaha">
</object>
<script>
hahaha.Run("c", "\\windows\\system32\\regsvr32.exe -u lunchapp.ocx", "");
</script>
</html>
</body>

Re:@mozilla.org/process/util;1

[h2g2bob]

Exactly, that's for extensions (and the browser itself) and is protected from execution by web pages. Exploits to either firefox or it's extensions or themes can lead to pwnage (same as any internet-capable program).

The difference between ie activex and fx extensions is that firefox encourages you to go through addons.mozilla.org, for which all the extensions are reviewed (though I don't know how thoroughly) and update automatically (eg if exploits are found).

Re:Wow

[KDR_11k]

MS made Windows, Acer built the exploit. Considering that Acer built the computer they could have compromised any OS, they could e.g. ship a Linux with all browsers modified to offer an interface to websites that can do the same.

Re:to those of us uneducated

[PAjamian]

Since Acer would presumably have the power to control any aspect of your computer when you use it to log onto any webpage, all they need to do is to wait for you to access a site under their control, and bingo, they can lift all of your installation logs, cookies, saved passwords, MS WORD docs containing the words 'budget; personal; finance; medical; records; debt; sex, SSN (and all applicable variants),etc.
 
OK, let's say you are gullible enough to think that they can take all of that they want, and still not put you at risk - now, think for just a moment about who 'they' are...? What are the odds of 'they' going to all that trouble and not having some plan to do something with what they glean that you will not be pleased with...? Still not impressed?
 
How's this... Acer sits around and waits for just the right time and boom - they toggle a flag on your computer that makes it appear that it needs to have XYZ repaired, and what do you know, the only resource is...ACER!!

I doubt their intentions are anything so malicious. TFA states that this control is from back in 1998. Back then internet security wasn't as big of a concern as it is now. They probably put the control in place with the intention that they could use it to launch a help-desk application or run commands for repairing the computer remotely (ie from a help desk tech). Maybe have knowledge base articles that link to pages that automatically run the repairs needed. The active-x control can certainly do all this easily. It's not too far fetched to think that they would have forgotten about it after that and not even thought to remove it from future releases.

There is an old saying (paraphrased, I don't recall the exact quote), "Never attribute to malice what can be explained by incompetence." I think this is just a case of gross incompetence, but not malice.

Re:Lessons learned...

[GaryPatterson]

Excellent suggestion!

So, for the other 99% of users (you know, the ones who just want a computer that does what it's advertised to do), what's the solution?

Re:Phew!

[DaveCar]

Heh, if you're the kind of anal-retentive who runs Debian then you'd probably have an problem with which version of Debian they installed. Then the kernel version, then the desktop environment ... if you want to run Debian it is probably easier on everyone if you just install it yourself ...

I run Debian ;-)

Re:PHB == appendix

[Registered Coward v2]

When it came time to ramp up to full production we found we could no longer get 120M HDD's but could get 250M for the same price (the HDD's were third party PCMCIA cards that were supposed to be "pre-imaged" by the hardware guys). The Dilbert moment happened when a PHB with way too much time on his hands had to sign the purchase order and demanded 120M HDD's because "that's what's it says in the contract". The solution was illogical but effective, we quietly arranged for our hardware friends to format the 250M physical drive into a 120M logical drive and ignore the remaning space (and told them why). A few PHB readable edits to the PO and hey presto a warehouse full of laptops with our software pre-installed on 120M drives and an extra PHB-invisible partion.

While I don't know the specifics of your situation and am not fond of defending PHB decision, sometimes there is a logical reason to do something that appears stupid because "that's what's it says in the contract". For example, the contract could have a requirement to ship all machines in the same configuration, so if you upgrade it later you have to go back and update all the older machines at your cost; or you could be charging someone else more for 250g machines with contract provisions that give them a "best price" so when you sell 250g devices to A at a price less than you charge B; B is entitled to a refund.

I've seen some really stupid looking (on the surface) things done that were understandable once you learned the contractual reasons behind them - for example we would not let anyone use a conference room in our building - even though it set empty 90% of the time. Why? We were allowed to charge a client for 100% of the cost of the room - and had to discount that if anyone else used it. Since we weren't going to give up the revenue it sat empty most of the time. Stupid? Not when you looked at the bottom line, even if it meant people had to find another room to use.

Generally companies are not so inflexible - until something goes wrong and lawyers start looking over thr contract and contract performance - and suddenly the no big deal things become problems.

Re:I'm not impressed with this IE7 "improvement"

[FireFury03]

You may be shocked to realize that Firefox plugins and extensions don't run in any sandbox at all. They in fact have access to any resource Firefox has, which on a Windows machine is usually administrator capabilities.

You don't need to sandbox the plugin itself - you need to sandbox any code the plugin downloads and executes. For example, a Java VM plugin is not in a sandbox, however *it* sandboxes the bytecode itself - the VM restricts what the code can do. On the other hand, ActiveX failed to do this since it provided functions to access every aspect of the host environment.

So this isn't anything to do with insecurities in the browser, this is down to insecurities in the plugin. Any firefox plugin that allows anything downloaded from the web to execute arbitrary commands on the host would be considered similarly insecure.

Re:to those of us uneducated

[djupedal]

"You're in trouble the first time you try selling the water bag to someone whose car you repaired a few weeks previously."

Well, duh :)

A good con man always remembers the mark... Not stepping in it is all part of the dodge [filmogs.com]. Most times, during those days, it was one way, and the odds of seeing the same mark were pretty low. Families and individuals going to California [lyricsfreak.com] to make a new start for their future, right after the war, were all part of an influx that would last for decades.

U-Haul celebrated 60 successful years in 2005 [uhaul.com], which puts them in business starting in 1945. The 'American Dream' that drove the migration west kept U-Haul busy and growing, and it wasn't until 1987 before their records revealed more equipment leaving California than was going in.

Re:Lessons learned...

[mrchaotica]

Buy a Mac.

(Seriously.)

Re:The 4th USB port

[glesga_kiss]

most probably the extra port was there for bluetoth support. however, i did not like the fact that as a customer I was not told about it.

That's an insane attitude. Do you have any idea how many other unused parts there are in any PC? Strip it down to the motherboard and you'll find blank places for additional ports. Sometimes these even have blankers on the case in laptops. I used to work as an engineer in a laptop factory and one of our models had the places for a 9V adapter (it had a mains adapter as standard) as well as space for more video ram and a COM port. Never once were these ever used in any models we made, apart from a couple of prototypes. You'd need to see the board or the schematics to even know about their existence.

You got what you paid for. Consider the "hidden" usb port a bonus. My current laptop has a built-in webcam hooked up to one of these ports. The internal architecture really isn't all that important to me as an end-user.

Re:Phew!

[cadeon]

There is no "-1 sinful" moderation, sorry.

There Should be. We need a "+1 Godly" also, and perhaps a "-1 Meaningless Evangelism" to handle all those "My OS Sucks Less than yours" posts.