Network News

X My Profile
View More Activity

A Warning to Windows Users on Acer Laptops

Update, Jan. 16, 12:57 p.m: Acer has released an update that automates the deactivation of the culprit file, as described in this blog. The patch can be downloaded from this link here. Also, U.S. CERT has issued an advisory about this threat.

Anyone using a laptop made by computer maker Acer Inc. should be aware of a serious security threat apparently resident on many -- if not all -- models shipped with Microsoft's Windows OS over the past decade or so.

According to research first published in November and picked up only recently by geek and security news sites, Acer computers ship with a Microsoft ActiveX control that gives bad guys the ability to control any aspect of the computer remotely if the user is browsing with any version of Internet Explorer but the latest (at least in IE7 the browser is supposed to ask you if you want to run the ActiveX control, whereas older versions of IE may simply let it run automagically). Online criminals would need to lure the Acer user to a malicious Web site to pull off the hijacking -- a common Internet fraud tactic.

ActiveX (or "hacktiveX" as it is sometimes derisively called by security researchers) is a Microsoft creation that is deeply woven into the Windows operating system and into Internet Explorer. ActiveX was designed to allow Web sites to develop interactive, multimedia-rich pages, but such powerful features rarely ever come without security trade-offs.

It's not clear what function this particular ActiveX has, other than to perhaps make it easier for Acer to troubleshoot issues should customers call with support problems. Acer users can check to see whether the control is present on their machine by clicking "Start," "Search," and then entering the filename, "lunchapp.ocx". It's probably safe to go ahead and remove it by clicking "Start," "Run," and type "regsvr32 -u lunchapp.ocx" (without the quote marks). Although it might not be a bad idea to set a restore point in Windows before you do (in Windows XP, you can get to the page to set a System Restore point by clicking "Start," "Programs," "Accessories," and then "System Tools.")

I put a query in to Acer about this on Monday and again today, but have to hear back from them. I'll be sure to update this post in the event that I receive a response.

About a year ago Security Fix wrote about the danger of sloppily designed ActiveX controls. Cue the wavy lines on the screen and psychadelic music as we take you back to that post:

As it turns out, a poorly designed ActiveX control distributed by a Fortune 500 company that most consumers already trust can be just as dangerous as a malicious control foisted by a dodgy Web site. According to estimates by Richard M. Smith, a privacy and security consultant at Boston Software Forensics, more than half of all Windows PCs contain one or more ActiveX controls which allow for system takeover from malicious Web pages.

Smith found dangerous security problems in ActiveX controls distributed by dozens of other major companies, including PC manufacturers and even some of the nation's largest Internet service providers. In some cases, he said, these insecure controls come pre-installed on a Windows PC from the factory. Last year, computer maker HP and Internet service provider America Online fixed similar flaws in ActiveX controls that shipped with their software.

The most recent high-profile scare over an ActiveX control came as part of the recent controversy over a flawed piece of anti-piracy software installed by certain Sony BMG music CDs. After the label released a program to help customers remove the software, security experts found that the program left behind an ActiveX control that any Web site could use to plant any files -- even viruses or spyware -- on a visitor's computer if they browsed the site with IE.

By Brian Krebs  |  January 10, 2007; 12:52 PM ET
Categories:  Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Plugs Ten Security Holes
Next: More Adobe Reader Vulnerabilities

Comments

Brian,

I think that a slight rewording is necessary:

user is browsing with anything but the latest version of Internet Explorer

should be:

user is browsing with any version of Internet Explorer but the latest

(Since, after all, firefox doesn't have this problem.)

Posted by: friedman | January 10, 2007 2:00 PM | Report abuse

Haha, Friedman, right you are. An important distinction, to be sure. I've changed per your suggestion, thanks!

Posted by: Bk | January 10, 2007 2:04 PM | Report abuse

The SANS handler's diary's recommendation is to set the kill bit on the control:

http://isc.sans.org/diary.html?storyid=2025

Not sure whether setting the kill bit is superior to uninstalling, but it might protect you from someone dropping the control on you as a download, though you might be prompted in that case. Maybe someone more Windows-cognizant can comment.

Posted by: antibozo | January 10, 2007 2:27 PM | Report abuse

I have an Acer and I did a search and found "lunchapp.ocx". I ran the remove and did a search again and it was still there. Should it be? What else can I do. And is this in anyway connected to the fact that since November I haven't been able to do updates on Windows and Defender? I've been trying everything I can think of to fix that problem, but nothing has worked. Ideas?

Posted by: ERS | January 10, 2007 2:30 PM | Report abuse

@ERS: the "remove" operation doesn't actually get rid of the OCX file, but unregisters it so that it can't be called by other programs (like Internet Explorer). Maybe Brian could use a different word, like "defuse" or "neutralize"?

Posted by: Cowboy_K | January 10, 2007 3:50 PM | Report abuse

I received a copy of your alert from a friend. No word of it on the Acer web site, of course... grrr

Posted by: tlcoles | January 11, 2007 4:09 AM | Report abuse

Just bought an Acer Aspire L310, a very minitower with a Celeron processor. CompUSA described it as using laptop components. So I would assume that your laptop alert probably applies here also. Haven't opened the box yet.

Posted by: Dennis | January 11, 2007 10:33 AM | Report abuse

Just chiming in with my $0.02.

There's a press release up on most Acer sites and, more importantly, a patch here.
http://support.acer-euro.com/drivers/utilities.html

Form their release, the patch was introduced into Acer's OEM manufacturing processes on 4th January. Any PC built AFTER that date should therefore be flaw-less (for want of a better word).

Posted by: Michael Walsh | January 11, 2007 1:12 PM | Report abuse

Michael -- Do you have a link to said press release also?

Posted by: Anonymous | January 11, 2007 4:05 PM | Report abuse

I have an Aspire 3000 with it. Renamed it to a .jpg and it stopped working.

Posted by: D. Boone | January 11, 2007 5:08 PM | Report abuse

A really helpful column. I was thinking of buying an Acer laptop.

Posted by: reader | January 12, 2007 4:04 AM | Report abuse

FYI...

- http://www.f-secure.com/weblog/archives/archive-012007.html#00001082
January 16, 2007
"There's an update for the Acer ActiveX component vulnerability we posted on last week. Details can be found via US-CERT*. The patch is named "Acer Preload Security Patch for Windows XP" and can be found here**."

* http://www.kb.cert.org/vuls/id/221700

** http://support.acer-euro.com/drivers/utilities.html#APP

.

Posted by: J. Warren | January 16, 2007 10:26 AM | Report abuse

I found it the hard way on my Aspire 3003 laptop... only after stumbling on the patch on jerky acer website - got it off my pc...
calling their hotline now... just getting huge hold time and nothing but TERRible customer srvc.... not suggest this company to anyone... that open hole caught me went to some website AND now my pc sorta boots but mostly mouse and cursor freeezes up and whole pc hangs... I can't get to my desktop nuthing.... so useless cant get on the web to surf or email... pretty much a boat anchor now... also i noticed werid things going on about Nov/dec when trying to get ms windows updates and things started acting very weird...

BEWARE.... Acer must be getting floooded with tons of calls from pissed off customers... makes ya wonder who/where to buy a "GOOD" pc or latop these days
Any ideas ?

Posted by: UnhappyAcer | January 17, 2007 7:49 PM | Report abuse

my brother has had an acer 5100 since oct when he bought it new....now just recently ...like the last 2 days it started messing up in the mouse controls...and as of tonite the mouse and any keys except the power button no longer work.

anyone else having this problem?

Posted by: embjr | January 19, 2007 5:44 AM | Report abuse

The press realease can be found in the top left (under "News") section of their entire global network (except Taiwan or acer.com for some reason). For the US it's here
I won't paste the link here because it's enormous.
Essentially, if the patch was installed factory side on the 4th of December, it's going to take a while for the effects to trickle down to retail stores so even if your PC is brand new, I'd still run the patch.
Just go to their service support site, download the patch and run it. I know I have on all three of mine.

Posted by: Michael Walsh | January 19, 2007 8:25 AM | Report abuse

Sorry, the HTML code wasn't accepted. The address for Acer's US site is http://www.acer.com/us

Posted by: Michael Walsh | January 19, 2007 8:27 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company