Last Updated: 2007-01-16 18:29:58 UTC
by Bojan Zdrnja (Version: 2)
The original article, available at http://vuln.sg/acerlunchapp-en.html, dates back to November, but for some reason this hit the news now.
The ActiveX control is very simple and basically allows an attacker to execute any binary on a remote machine by just providing a full path to it and (if need) arguments. The control is also marked as safe for scripting.
I’ve quickly tested this on a new Acer TravelMate and the ActiveX control is certainly there. However, even with Internet Explorer 6 (on Windows XP SP2), it does not run automatically, but will warn the user who has to allow the control to run. Internet Explorer 7 will warn the user with the full control name and will not run it automatically either.
At this point in time, until the patch is available, the best thing would be to set the kill bit on this control – see http://support.microsoft.com/kb/240797 for information on how to set kill bits.
Acer has released a patch to address this issue. It is called "Acer Preload Security Patch for Windows XP" and can be downloaded here. The updated US-CERT vulnerability notice with information about the patch can be found here.