Has Acer Left Its Customers Wide Open To Attacks?

from the security? dept

Sony BMG got itself in a bit of hot water when it was discovered that some of the company's CDs installed rootkits on consumers' PCs. It remains a sticky subject a year later, not just for Sony, but for other companies who want to use similar types of products to exert an inordinate amount of control over a user's computer. Now, some people are wondering if Acer has been installing an ActiveX script that allows a web site to run any program on the computer it sells, perhaps as far back as 1998. There are plenty of reasons a PC manufacturer might want to do this -- remote support or updates, for instance -- but it's hard to think they justify leaving users' PCs open to attack in such a wide-open way. Call us crazy, but it seems like PC makers should be helping to protect users when it comes to security, rather than making it easier for them to be attacked.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    misanthropic humanist, Jan 8th, 2007 @ 10:10am

    open door

    Looks that way. Slashdot carried this earlier today and it took someone a couple of minutes to demonstrate a working exploit, nothing but a few lines of HTML and script that could launch arbitary applications. Replace that with an FTP script (arguments passed) to download something nasty and you've pwned the box.

    (this is safe - it just launches calc)

    http://yro.slashdot.org/comments.pl?sid=215582&cid=17506598


    It's a deliberate backdoor, and worse than that it's been there for 8 years!

    Yikes.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Neal, Jan 8th, 2007 @ 10:18am

    Old news, Surprised it's still around

    I read about this several years ago. It's amazing that it's still around to be rediscovered after the focus on security of late. What a big dumbAcer.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Bumbling old fool, Jan 8th, 2007 @ 10:21am

    Re: open door

    Faster than that, the example was in TFA before it was even posted! noone from /. even needed to copy/paste a thing.

    But thats never stopped them.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    HotGARBAGE, Jan 8th, 2007 @ 11:29am

    Not Surprising

    This is a windows exploit. Not a computer exploit. Did Acer/ Sony do a bad thing? Yes, however, this can be avoided by running an inherently more secure OS than the one that comes preinstalled.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    misanthropic humanist, Jan 8th, 2007 @ 11:38am

    Re: Re: open door

    I agree. But if what Neal says is right then this whole caper is scandalous anyway and there's plenty more exploits already around. Lord knows what other nice little tricks that function has been turned to. How many years? What have they done about it?

    Let's state this as clearly and simply as possible:

    If you buy a computer with a pre-installed operating system or software you should not trust the security of that system.

    Every admin and CTO should heed this and take it very seriously. Purchase your hardware sans operating system and install your own. It is a myth that you can only buy hardware with Windows installed, find a supplier that isn't pressured to bundle by Microsoft - even if it costs more (the costs of wiping as well as reinstalling will be greater).

    Do not buy bundled operating systems unless you want to leave yourself wide open. You cannot trust the supplier.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Bumbling old fool, Jan 8th, 2007 @ 11:45am

    Re: Not Surprising

    Not even remotely close.

    This is a plugin, not an exploit at all. Although this particular plugin was written using ActiveX, it COULD have been a java class, and preinstalled in any browser that supports java.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Jan 8th, 2007 @ 12:19pm

    Re: Not Surprising

    This isn't a windows exploit. If you run a browser with privileged credentials which supports a plugin api (activex) which has a plugin which is designed specifically to run arbitrary code upon command by a web site, regardless of the OS, you can be owned.

    If you dont run as admin, you can't be owned. (I am well aware that most windows users run as admin)

    If you dont run IE, you can't be owned (I am well aware that most windows users use IE)

    If you dont have this plugin installed, you can't be owned (how can you call it an exploit in X if it requires installation of Y to actually exploit?)

    The fact is, the exploit here is of acer's stupidity and/or carelessness taken root in Microsoft's incredibly overoptimistic security paradigms as expressed in far more software than just 'windows'

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jan 8th, 2007 @ 12:20pm

    Re: Re: Re: open door

    Thanks for the digested security principle, MH, I knew it in my gut but hadn't quite found the solid resolution in my mind to state it as a law of security that I can stand firm on.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jan 8th, 2007 @ 1:31pm

    **Class Action Lawsuit**

    _.-;;-._
    '-..-'| || |
    '-..-'|_.-;;-._|
    '-..-'| || |
    '-..-'|_.-''-._|

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    misanthropic humanist, Jan 8th, 2007 @ 1:58pm

    Re: Re: Re: Re: open door

    Welcome to a brave new and much, much smaller world matey. You have now officially graduated to the 0.1% of people who should actually be allowed to administrate computer systems. For an extra 10 point bonus name the "operating system" that you should not install

    A) BSD
    B) Solaris
    C) Plan9
    D) Microsoft Windows
    E) OSX

    clue: WORM SOWN DISC OF IT
    (shame there wasn't an extra S and H isnt it)

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Shaltenn, Jan 8th, 2007 @ 2:26pm

    Only an idiot...

    would buy a machine and accept the operating system as good to do. With all the crapware pre-loaded on systems nowadays, whenever I get a new laptop or machine I first nuke it, de-partition it completely, repartition it how I want it, then rebuild it with my OS of choice.

    I've had an Acer for years and never saw this problem - probably because I never used the system without a rebuild. The moment it came out of the box, I booted it straight to XP setup and reinstalled.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Gryphon, Jan 8th, 2007 @ 2:51pm

    Re: Only an idiot...

    Acer puts a nice little clause in with machines now. Destroy installed information, you void the warranty.

    The recent Acer 5100 I purchased had no less than 3 FAT32 partitions on it - Primary+Mirror and Recovery. A 100GB disk emasculated into something resembling 36GB. That, and all the crapware that was installed made it necessary to resinstall a fresh copy of *anything.*

    Warranty? Meet Ghost.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jan 8th, 2007 @ 7:56pm

    And the moral of the story is...

    Don't buy Acer. Just that simple. Regardless of how screwed up Windows may be, Acer deliberately exploited the system to take control of the conumer's machine with no regard for how this might compromise their security overall.
    Without a substantial loss in consumer confidence that translates immediately into lost sales, there is no incentive for other companies to behave any better.
    In short, make the world a better place - don't buy an Acer.
    While you are at it - don't buy Sony.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Jeff, Jan 9th, 2007 @ 3:45am

    Re: And the moral of the story is...

    Only problem with that is, when you start keeping a hit list of companies to avoid, sooner or later, every company on the planet is on that list, because, by and large, they're all a buncha f***tards.

    The posts above saying don't trust someone else's install, make your own (and Ghost it if you have to in order to stay in warranty) are right on the money. Because the real moral if you need one, is the age-old "if you wanna get something done right, do it yourself".

    Otherwise you'll carry that mantra to extreme, avoiding all manufacturers and be reduced to making your own microchips from raw silicon, etc. Maybe *YOU* can do it, if so, kudos, but it's a waste of my time.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This