Acer May Be Bugging Computers 396
tomjen writes "What if a well known laptop company had silently placed an ActiveX Control on their computers that allowed any webpage to execute any program? Well Acer apparently has and they have (based on the last modified-by date of the file) been doing this since 1998. 'Checking the interface of the control reveals it has a method named "Run()" as shown below. The method supports parameters "Drive", "FileName", and "CmdLine". Isn't it strange for a control that's marked "safe for scripting" to allow a method that is suggestive of possible abuse?'"
Phew! (Score:1, Interesting)
And now that it's publicized... (Score:5, Interesting)
Re:And now that it's publicized... (Score:3, Interesting)
The 4th USB port (Score:4, Interesting)
Isn't it a little bit naive (Score:3, Interesting)
I bet that buried in the EULA somewhere is a statement about remote support or some other such thing that would negate any complaints about this code as far as culpability goes. Wonder what they will do now that the botnet boys know its there? Just one more reason that people who want to have a safe computer should learn how to administer one properly... IMO.
to those of us uneducated (Score:1, Interesting)
Re:to those of us uneducated (Score:5, Interesting)
A beginner & an AC - wants to know exactly how to execute the 'bad thing', and promises not to inhale
Oh...rudimentary...well, that's different. Since Acer would presumably have the power to control any aspect of your computer when you use it to log onto any webpage, all they need to do is to wait for you to access a site under their control, and bingo, they can lift all of your installation logs, cookies, saved passwords, MS WORD docs containing the words 'budget; personal; finance; medical; records; debt; sex, SSN (and all applicable variants),etc.
OK, let's say you are gullible enough to think that they can take all of that they want, and still not put you at risk - now, think for just a moment about who 'they' are...? What are the odds of 'they' going to all that trouble and not having some plan to do something with what they glean that you will not be pleased with...? Still not impressed?
How's this... Acer sits around and waits for just the right time and boom - they toggle a flag on your computer that makes it appear that it needs to have XYZ repaired, and what do you know, the only resource is...ACER!!
A new age variation on the old water-bag trick. One guy owned two service stations. One station was the last stop before heading out of LA, into the desert, heading for Palm Springs. The other was the last service station before heading out of Palm Springs, out across the desert, heading for LA. When a car stops on the LA side, the station staff sell the unaware traveler a scary story about being in the desert and having the car break down from overheating. Seems, tho, if you buy a canvas water-bag filled with water, and hang it on your car's front grille, it will supposedly help cool the air before it flows across the radiator. Best insurance money can buy. Thank ya now, ya'll have a safe trip!
Problem is, that big 'ol canvas bag actually blocks the airflow, and by the time you get near the other side of the desert, your car overheats and you have to pay the Palm Springs service station to come and tow your car and fix everything that broke from overheating. Not a small fee, even in those days. They explain how the bag is what did the damage, and the hapless owner tells them to keep it.
What do you think the Palm Springs service station guys do with the demon water-bag? Well, of course, they sell it to the next dupe going from there to LA, and even help by attaching it to the grille of his car. Thank ya now, ya'll have a safe trip!
I figure that one bag most likely made dozens of round trips across the Mohave, and put at least two generations of kids thru law school
Rumor has it owning those two stations was the fastest way to retirement until the big casinos came in and the real pocket-picking took off.
Re:Isn't it a little bit naive (Score:3, Interesting)
Anyone, almost, can get a license to drive a car. The few that will put power steering fluid in their oil because they know nothing about cars will learn a very expensive lesson. There are many examples here where just a grounding of common sense would save people from very costly and perhaps embarrassing episodes. There are awards everywhere for people that do very stupid things such as the Darwin awards. The evidence of my point is all around us, but for some reason people think that technology should simply work as simple as a toaster. Those same people forget to think about all the people that put pop-tarts in the toaster with the wrapper still on, or worse, put them in the microwave.. resulting in the required shower of sparks. All of the technology around us is capable of doing things the wrong way. It is only through common experience and learning that most people manage to not fsck things up. At this point I should say how very glad I am that people are not want to buy their own table saw or jack hammer. These can do way more damage than a George Foreman grill mixed with some Jack Daniels. I still worry every time they allow the sale of fireworks to joe public.
Even people who are only mildly aware of how a vehicle works are usually able to determine that something is wrong because its making a new sound, or not steering right etc. This is not so with computers. People are so perplexed at how complex it must be that they remain clueless as to what might be wrong when it stops working as well as it seemed that it used to work.
Some people think that all emails they get should be opened, and out of curiosity, they open nearly every attachment they receive under the mistaken notion that their ISP or AV software is going to protect them.
Perhaps they need not know how to administer a Windows network, but they should have some clues, like they have with almost every other kind of technology they use. BTW, yes, I believe that everyone who has a flashing 12:00 on their VCR/DVD player should be fined until they know how to fix it. I also think I should be able to sell them clocks that never need to be set... but that is an open market forces kind of thing. The flashing clock doesn't really hurt anyone while allowing a botnet to p0wn your machine does. If there is a license to make sure only responsible drivers are on public roads, perhaps we need something similar for computer users. There are certification programs that people can take. Its just common sense that I think they need, not the ability to rewrite the kernel.
Hopefully that clears up what I meant to say?
It's an appendix. (Score:5, Interesting)
In an old Mac of mine (G4 "Sawtooth"), there is an internal Firewire port right on the motherboard, even though there are virtually no (to my knowledge anyway) internal Firewire devices available. The most useful thing you can do with it is run it out to a dummy card-slot panel and give yourself an extra external port. (I suppose you could also run another HD by using a IDE to FW converter card, if you could find a small enough one.)
It's there, I suspect, because when they were designing that mobo, it wasn't clear that Firewire would be used primarily for DV and external peripherals, and wouldn't become the internal-peripheral interconnect of choice. For all the designers knew, Firewire could have become like SATA is today, with hard drives being built for it natively. In that case, having one inside the case could be useful as hell (particularly since that machine has space for 4 or 6 internal 3.5" HDs and 2 removable-media drives). They had no way of knowing that it would end up being the electronics version of an appendix.
I suspect if you were to look around closely at the first generations of a lot of technologies, you'd find a lot of things like this; design decisions made for possibilities that just didn't pan out, but were left there anyway.
"Pre-hosed" -- always wipe it (Score:4, Interesting)
I've just seen too many machines come pre-hosed from the factory. For anything that sees production use, I want to pack my own parachute and know exactly what is on the machine.
On PCs, I try to find drivers from the underlying OEM rather than depend on the PC vendor, as usually the PC vendor's drivers tend to be outdated, except for motherboard/system board/IO planar flash.
Re:Phew! (Score:4, Interesting)
and no, I wasn't going for humour mods... my laptop actually shipped with Linux, and I did wipe it for FreeBSD (it runs OpenSolaris now, but that's beyond the point).
Blank laptops (very very old story) (Score:2, Interesting)
First, if I I have to pay for a preinstalled OS, I cannot be made responsible for that installation. The rescue CD is a kind of responsibility contract.
Second, if I can get a blank PC, I am the one responsible for whatever will run on it without paying extra money.
Third, if I cannot choose, the one who chose in my behalf is to be responsible for whatever happens in my machine for both hw and sw.
So finally, they'd better leave the option to the customer.
And, all this would apply to whatever the OS is, not just the four colours flag OS.
What's this control named "Rootkit" do? (Score:2, Interesting)
And that's why this vulnerability was found, because the name was so damn obvious. It's as if you had an active x control registered that was named "rootkit".
This one must be the decoy. Imagine what else could be hidden in there and not named "Please throw me in the briar patch!"
Re:I'm not impressed with this IE7 "improvement" (Score:5, Interesting)
So what was the beef with ActiveX again?
Oh, and in Vista, IE7 runs in limited mode even on admin accounts, so ActiveX controls are limited too. Firefox so far doesn't take advantage of this.
It's easy to open wide a big mouth and flame Microsoft, but the thing is: how is the competition better?
I won't be surprised if all it's better about (in terms of security) is that it's less popular and thus less targeted by malware authors. We've seen some of this during the Firefox adoption boom, but I'm afraid IE7 might kill the further adoption of Firefox so I can prove it.
Re:SWAH!?! (Score:5, Interesting)
Depends on what you mean by that. I'm prepared to believe that Acer, or some of its subsidiaries, handles a significant amount of manufacturing for otherwise famous (and respected) OEM brands. That said, Acers are junk, some of those brands are not.
Having worked in manufacturing, I can say with confidence that it's *usually true* that the manufacturer can just about build anything to any quality level you desire, the only force stopping you is the almighty dollar. I worked in an auto parts plant, and we made the crappiest of parts that would die on you after a couple years to the most premium of car parts that would go on working for decades... It all depends on how much the customer is paying.
I suspect Acer, Asus, Foxconn, and any other manufacturing contractors are exactly like this. While Acer's own branded laptops are invariably crap (waaaaay too many bad experiences, ugh), I would not be surprised in the least if quality laptops are made under the same roof, for other people.
Re:Phew! (Score:3, Interesting)
PHB == appendix (Score:5, Interesting)
Many moons ago I worked on a large project where we supplied a logistics application along with 8000 laptops that we were also expected to maintain. The spec's for the laptop's were written into the $80M/5yr contract, in particular the contract specified "special" (ie: manafactured by our sister company) laptops with a 120M HDD. A thousand or so laptops were delivered immediately, I suspect this was mainly to garner a large initial payment, 800 were then stored in a warehouse by the customer for 2yrs while we wrote the software and ran a pilot with the other 200.
When it came time to ramp up to full production we found we could no longer get 120M HDD's but could get 250M for the same price (the HDD's were third party PCMCIA cards that were supposed to be "pre-imaged" by the hardware guys). The Dilbert moment happened when a PHB with way too much time on his hands had to sign the purchase order and demanded 120M HDD's because "that's what's it says in the contract". The solution was illogical but effective, we quietly arranged for our hardware friends to format the 250M physical drive into a 120M logical drive and ignore the remaning space (and told them why). A few PHB readable edits to the PO and hey presto a warehouse full of laptops with our software pre-installed on 120M drives and an extra PHB-invisible partion.
Now throwing away half the drive is clearlly illogical but in my mind it was the "optimal" solution, with the possible exception of a time consuming appendectomy that would gum up the workflow for weeks/months and could possibly result in a devil we didn't know taking over. I also say "optimal" because: The PHB belived he had asserted his authority over the project and a rival PHB in the sister company, all with just one demand. From what I recall he went off to pester someone else and gloat about it. Not only did it nueter the PHB but HR, the lawyers and the accountants were kept in their cages, the techies got a good laugh, and the customer remained oblivious to the whole fiasco.
Finally, a year or so into production when the image size started to bloat towards the 120M limit, the same PHB asked for a costing to retrofit bigger drives, like any good salesman we umm'ed and ahh'ed then went off to "see what we could do" before announcing we could remotely activate a new D: drive on a standard update cycle using some simple "magic" and a couple of mandays labour. The news delighted the PHB who promptly added a manday for his own "time". We didn't even hint that it was his previous demand had caused the current space squeeze, we simply saved our eveidence in case an appendectomy was required at some future random impasse. We also saved all the "can do" brownie points for the next time we had to convince the same PHB that his proposed solution to some imaginary problem really, truly, is a "can't do" situation, regardless of what PC week says.
Re:to those of us uneducated (Score:3, Interesting)
Run(drive,path,"type \"FTP COMMAND LIST HERE\" > script.txt");
or any other method of entering arbitrary command-line data into a file.
Then, run as normal.
Re:Where are the positives? (Score:1, Interesting)
Of course, all countries would do well to prevent foreign agencies having the ability to load software onto their machines. Windows and Mac update services are particularly notable here: in the event of a large-scale war, American authorities will use these to spy on enemy computers. But the spying will be done very covertly. There won't be any obviously recognisable backdoors. If any are found, they won't be announced on Slashdot.
This is just the work of some retard at Acer who didn't realise he was introducing a backdoor. Plenty of idiots think they can write software.
Re:Question: is this another Acer backdoor? (Score:3, Interesting)
That's just what happens when you install the
Pretty cool, huh?
contract manufacturing of computers (Score:4, Interesting)
Re:SWAH!?! (Score:3, Interesting)
The Acer Service Center which I was a frequent visitor at with the 4600 offers extended warranties. The extended warranty for the "business line" is half the price of the budget line. That alone says it all.