Sunday, January 07, 2007
Got an Acer laptop? You may have a problem.
This one's so blatant that I keep thinking it must be a mistaken report.
Microsoft years ago created a system to allow web pages to run software on your machine. The software was called "ActiveX controls", and there were standards for classifying them as safe or unsafe, to prevent web pages from doing damage by running unsafe software.
According to a report by Tan Chew Keong, the TravelMate 4150 and Aspire 5600, maybe others for all we know, shipped from Acer with an ActiveX control installed that lets any web page run any software on your computer with any parameters the web page chooses.
That would allow a hostile web site to tell your machine to download hostile programs and run them. After that, it stops being your machine.
There's no convenient way to tell if you're affected, unless you have a place where you can upload HTML for experiments.
Easy protective measures include not running Internet Explorer. Other browsers don't support ActiveX so you can't be affected if you don't run IE. It's possible to disable the rogue ActiveX control, but until I find out what it's supposed to be doing I hesitate to recommend that. It's not a process for a non-technical person to attempt anyway.
Turn off "Active Scripting" in Tools/Options/Security except for sites that really need it and that you think aren't controlled by crooks.
This is just too bizarre to be right: it's like a car maker selling a car with spare keys taped to the outside.
Details for your technical friends:
http://vuln.sg/acerlunchapp-en.html
http://downloads.securityfocus.com/vulnerabilities/exploits/acer_poc.txt
http://secunia.com/advisories/23003
http://www.securityfocus.com/bid/21207
UPDATE 1/16:
Acer has released a security fix. Download and install it quickly, the bad guys know all about this one and it's drop-dead easy for them to use.
|
Microsoft years ago created a system to allow web pages to run software on your machine. The software was called "ActiveX controls", and there were standards for classifying them as safe or unsafe, to prevent web pages from doing damage by running unsafe software.
According to a report by Tan Chew Keong, the TravelMate 4150 and Aspire 5600, maybe others for all we know, shipped from Acer with an ActiveX control installed that lets any web page run any software on your computer with any parameters the web page chooses.
That would allow a hostile web site to tell your machine to download hostile programs and run them. After that, it stops being your machine.
There's no convenient way to tell if you're affected, unless you have a place where you can upload HTML for experiments.
Easy protective measures include not running Internet Explorer. Other browsers don't support ActiveX so you can't be affected if you don't run IE. It's possible to disable the rogue ActiveX control, but until I find out what it's supposed to be doing I hesitate to recommend that. It's not a process for a non-technical person to attempt anyway.
Turn off "Active Scripting" in Tools/Options/Security except for sites that really need it and that you think aren't controlled by crooks.
This is just too bizarre to be right: it's like a car maker selling a car with spare keys taped to the outside.
Details for your technical friends:
http://vuln.sg/acerlunchapp-en.html
http://downloads.securityfocus.com/vulnerabilities/exploits/acer_poc.txt
http://secunia.com/advisories/23003
http://www.securityfocus.com/bid/21207
UPDATE 1/16:
Acer has released a security fix. Download and install it quickly, the bad guys know all about this one and it's drop-dead easy for them to use.
# posted by Frederick @ 11:02 PM Email to a friend:
Haloscan: they provide trackback