Has Acer Left Its Customers Wide Open To Attacks?

from the security? dept

Sony BMG got itself in a bit of hot water when it was discovered that some of the company’s CDs installed rootkits on consumers’ PCs. It remains a sticky subject a year later, not just for Sony, but for other companies who want to use similar types of products to exert an inordinate amount of control over a user’s computer. Now, some people are wondering if Acer has been installing an ActiveX script that allows a web site to run any program on the computer it sells, perhaps as far back as 1998. There are plenty of reasons a PC manufacturer might want to do this — remote support or updates, for instance — but it’s hard to think they justify leaving users’ PCs open to attack in such a wide-open way. Call us crazy, but it seems like PC makers should be helping to protect users when it comes to security, rather than making it easier for them to be attacked.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Has Acer Left Its Customers Wide Open To Attacks?”

Subscribe: RSS Leave a comment
misanthropic humanist says:

open door

Looks that way. Slashdot carried this earlier today and it took someone a couple of minutes to demonstrate a working exploit, nothing but a few lines of HTML and script that could launch arbitary applications. Replace that with an FTP script (arguments passed) to download something nasty and you’ve pwned the box.

(this is safe – it just launches calc)


It’s a deliberate backdoor, and worse than that it’s been there for 8 years!


misanthropic humanist says:

Re: Re: open door

I agree. But if what Neal says is right then this whole caper is scandalous anyway and there’s plenty more exploits already around. Lord knows what other nice little tricks that function has been turned to. How many years? What have they done about it?

Let’s state this as clearly and simply as possible:

If you buy a computer with a pre-installed operating system or software you should not trust the security of that system.

Every admin and CTO should heed this and take it very seriously. Purchase your hardware sans operating system and install your own. It is a myth that you can only buy hardware with Windows installed, find a supplier that isn’t pressured to bundle by Microsoft – even if it costs more (the costs of wiping as well as reinstalling will be greater).

Do not buy bundled operating systems unless you want to leave yourself wide open. You cannot trust the supplier.

misanthropic humanist says:

Re: Re: Re:2 open door

Welcome to a brave new and much, much smaller world matey. You have now officially graduated to the 0.1% of people who should actually be allowed to administrate computer systems. For an extra 10 point bonus name the “operating system” that you should not install

B) Solaris
C) Plan9
D) Microsoft Windows

(shame there wasn’t an extra S and H isnt it)

Anonymous Coward says:

Re: Not Surprising

This isn’t a windows exploit. If you run a browser with privileged credentials which supports a plugin api (activex) which has a plugin which is designed specifically to run arbitrary code upon command by a web site, regardless of the OS, you can be owned.

If you dont run as admin, you can’t be owned. (I am well aware that most windows users run as admin)

If you dont run IE, you can’t be owned (I am well aware that most windows users use IE)

If you dont have this plugin installed, you can’t be owned (how can you call it an exploit in X if it requires installation of Y to actually exploit?)

The fact is, the exploit here is of acer’s stupidity and/or carelessness taken root in Microsoft’s incredibly overoptimistic security paradigms as expressed in far more software than just ‘windows’

Shaltenn (user link) says:

Only an idiot...

would buy a machine and accept the operating system as good to do. With all the crapware pre-loaded on systems nowadays, whenever I get a new laptop or machine I first nuke it, de-partition it completely, repartition it how I want it, then rebuild it with my OS of choice.

I’ve had an Acer for years and never saw this problem – probably because I never used the system without a rebuild. The moment it came out of the box, I booted it straight to XP setup and reinstalled.

Gryphon says:

Re: Only an idiot...

Acer puts a nice little clause in with machines now. Destroy installed information, you void the warranty.

The recent Acer 5100 I purchased had no less than 3 FAT32 partitions on it – Primary+Mirror and Recovery. A 100GB disk emasculated into something resembling 36GB. That, and all the crapware that was installed made it necessary to resinstall a fresh copy of *anything.*

Warranty? Meet Ghost.

Anonymous Coward says:

And the moral of the story is...

Don’t buy Acer. Just that simple. Regardless of how screwed up Windows may be, Acer deliberately exploited the system to take control of the conumer’s machine with no regard for how this might compromise their security overall.
Without a substantial loss in consumer confidence that translates immediately into lost sales, there is no incentive for other companies to behave any better.
In short, make the world a better place – don’t buy an Acer.
While you are at it – don’t buy Sony.

Jeff says:

Re: And the moral of the story is...

Only problem with that is, when you start keeping a hit list of companies to avoid, sooner or later, every company on the planet is on that list, because, by and large, they’re all a buncha f***tards.

The posts above saying don’t trust someone else’s install, make your own (and Ghost it if you have to in order to stay in warranty) are right on the money. Because the real moral if you need one, is the age-old “if you wanna get something done right, do it yourself”.

Otherwise you’ll carry that mantra to extreme, avoiding all manufacturers and be reduced to making your own microchips from raw silicon, etc. Maybe *YOU* can do it, if so, kudos, but it’s a waste of my time.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...