Slashdot Log In
Acer May Be Bugging Computers
Posted by
Zonk
on Mon Jan 08, 2007 01:43 AM
from the might-want-to-look-into-this dept.
from the might-want-to-look-into-this dept.
tomjen writes "What if a well known laptop company had silently placed an ActiveX Control on their computers that allowed any webpage to execute any program? Well Acer apparently has and they have (based on the last modified-by date of the file) been doing this since 1998. 'Checking the interface of the control reveals it has a method named "Run()" as shown below. The method supports parameters "Drive", "FileName", and "CmdLine". Isn't it strange for a control that's marked "safe for scripting" to allow a method that is suggestive of possible abuse?'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
But dude... (Score:5, Funny)
Re:But dude... (Score:5, Funny)
Parent
And now that it's publicized... (Score:5, Interesting)
Uhh, there already IS an exploit... (Score:5, Informative)
But as you can run ANY windows binary with any command line (at least according to the article), actual exploitation is trivial.
Parent
Re:And now that it's publicized... (Score:5, Funny)
Parent
Re:And now that it's publicized... (Score:5, Informative)
Parent
Lessons learned... (Score:5, Insightful)
2) When you can't build your own (laptops), *always* re-install your OS after purchasing a new computer, and for God's sake use a real install CD and not the recovery one provided by the manufacturer.
LunchApp.ocx (Score:5, Funny)
The original article failed to notice that it's a Lunch application. It's actually a throw back to when Acer briefly partnered up with 180solutions to deliver targeted pop-under sandwiches to hungry laptop owners. The idea being that after seventeen hours of trying to uninstall Bonsai Buddy the computer user would be debilitated through starvation and susceptible receptive to sp(iced h)am..
The program was abandoned when Acer's engineers failed to perfect the wasabi-over-ip protocol - leaving the whole system unreliable an prone to bagel overrun.
SWAH!?! (Score:5, Funny)
Acer still makes computers? People still buy them?
I remember Acer being a budget brand with a bad rep for quality and customer service back in the mid- to late-90s. I can't believe they are still a going concern.
Re:SWAH!?! (Score:5, Interesting)
Depends on what you mean by that. I'm prepared to believe that Acer, or some of its subsidiaries, handles a significant amount of manufacturing for otherwise famous (and respected) OEM brands. That said, Acers are junk, some of those brands are not.
Having worked in manufacturing, I can say with confidence that it's *usually true* that the manufacturer can just about build anything to any quality level you desire, the only force stopping you is the almighty dollar. I worked in an auto parts plant, and we made the crappiest of parts that would die on you after a couple years to the most premium of car parts that would go on working for decades... It all depends on how much the customer is paying.
I suspect Acer, Asus, Foxconn, and any other manufacturing contractors are exactly like this. While Acer's own branded laptops are invariably crap (waaaaay too many bad experiences, ugh), I would not be surprised in the least if quality laptops are made under the same roof, for other people.
Parent
Late again! (Score:5, Informative)
pre-owned? (Score:5, Funny)
BBH
Re:Phew! (Score:5, Funny)
Parent
Re:Phew! (Score:5, Funny)
Parent
Re:Phew! (Score:5, Funny)
I immediately reformatted my newly-purchased Acer's hard disk, installed DR-DOS and Crosstalk and do all my computing on a VAX 11/750.
Next...
Parent
Re:Phew! (Score:5, Informative)
I recently bought a laptop with Ubuntu pre-installed from The Linux Store [thelinuxstore.ca], which is in Ontario. I've been perfectly satisfied aside from the minor point that they only offer the choice of Ubuntu and Fedora Core when I would have preferred Debian.
Parent
Re:Phew! (Score:5, Funny)
Parent
Re:The 4th USB port (Score:5, Insightful)
Plus, if they do no wireless, Wifi-only and Wifi+BT models, with a single Mini-PCI slot, they would need both Wifi and Wifi+BT cards, if they have a "hidden" USB port, they only need to stock Wifi mini-PCI cards and USB bluetooth adapters, the same adapters that are sold independently.
Parent
It's an appendix. (Score:5, Interesting)
In an old Mac of mine (G4 "Sawtooth"), there is an internal Firewire port right on the motherboard, even though there are virtually no (to my knowledge anyway) internal Firewire devices available. The most useful thing you can do with it is run it out to a dummy card-slot panel and give yourself an extra external port. (I suppose you could also run another HD by using a IDE to FW converter card, if you could find a small enough one.)
It's there, I suspect, because when they were designing that mobo, it wasn't clear that Firewire would be used primarily for DV and external peripherals, and wouldn't become the internal-peripheral interconnect of choice. For all the designers knew, Firewire could have become like SATA is today, with hard drives being built for it natively. In that case, having one inside the case could be useful as hell (particularly since that machine has space for 4 or 6 internal 3.5" HDs and 2 removable-media drives). They had no way of knowing that it would end up being the electronics version of an appendix.
I suspect if you were to look around closely at the first generations of a lot of technologies, you'd find a lot of things like this; design decisions made for possibilities that just didn't pan out, but were left there anyway.
Parent
Re:to those of us uneducated (Score:5, Informative)
Parent
Re:to those of us uneducated (Score:5, Interesting)
A beginner & an AC - wants to know exactly how to execute the 'bad thing', and promises not to inhale
Oh...rudimentary...well, that's different. Since Acer would presumably have the power to control any aspect of your computer when you use it to log onto any webpage, all they need to do is to wait for you to access a site under their control, and bingo, they can lift all of your installation logs, cookies, saved passwords, MS WORD docs containing the words 'budget; personal; finance; medical; records; debt; sex, SSN (and all applicable variants),etc.
OK, let's say you are gullible enough to think that they can take all of that they want, and still not put you at risk - now, think for just a moment about who 'they' are...? What are the odds of 'they' going to all that trouble and not having some plan to do something with what they glean that you will not be pleased with...? Still not impressed?
How's this... Acer sits around and waits for just the right time and boom - they toggle a flag on your computer that makes it appear that it needs to have XYZ repaired, and what do you know, the only resource is...ACER!!
A new age variation on the old water-bag trick. One guy owned two service stations. One station was the last stop before heading out of LA, into the desert, heading for Palm Springs. The other was the last service station before heading out of Palm Springs, out across the desert, heading for LA. When a car stops on the LA side, the station staff sell the unaware traveler a scary story about being in the desert and having the car break down from overheating. Seems, tho, if you buy a canvas water-bag filled with water, and hang it on your car's front grille, it will supposedly help cool the air before it flows across the radiator. Best insurance money can buy. Thank ya now, ya'll have a safe trip!
Problem is, that big 'ol canvas bag actually blocks the airflow, and by the time you get near the other side of the desert, your car overheats and you have to pay the Palm Springs service station to come and tow your car and fix everything that broke from overheating. Not a small fee, even in those days. They explain how the bag is what did the damage, and the hapless owner tells them to keep it.
What do you think the Palm Springs service station guys do with the demon water-bag? Well, of course, they sell it to the next dupe going from there to LA, and even help by attaching it to the grille of his car. Thank ya now, ya'll have a safe trip!
I figure that one bag most likely made dozens of round trips across the Mohave, and put at least two generations of kids thru law school
Rumor has it owning those two stations was the fastest way to retirement until the big casinos came in and the real pocket-picking took off.
Parent
Re:to those of us uneducated (Score:5, Informative)
I really have a hard time understanding your mindset. You refuse to believe in the seriousness of the vuln even when people give you an attack vector example. Please, why ?
Parent
Re:present on Aspire 1690 (Score:5, Informative)
Goto Start > Run and type:
regsvr32 -u lunchapp.ocx
(-u for uninstall)
Parent
Re:I'm not impressed with this IE7 "improvement" (Score:5, Interesting)
So what was the beef with ActiveX again?
Oh, and in Vista, IE7 runs in limited mode even on admin accounts, so ActiveX controls are limited too. Firefox so far doesn't take advantage of this.
It's easy to open wide a big mouth and flame Microsoft, but the thing is: how is the competition better?
I won't be surprised if all it's better about (in terms of security) is that it's less popular and thus less targeted by malware authors. We've seen some of this during the Firefox adoption boom, but I'm afraid IE7 might kill the further adoption of Firefox so I can prove it.
Parent
Re:On behalf of Acer (Score:5, Insightful)
Parent