Has Acer Left Its Customers Wide Open To Attacks?
from the security? dept
Sony BMG got itself in a bit of hot water when it was discovered that some of the company’s CDs installed rootkits on consumers’ PCs. It remains a sticky subject a year later, not just for Sony, but for other companies who want to use similar types of products to exert an inordinate amount of control over a user’s computer. Now, some people are wondering if Acer has been installing an ActiveX script that allows a web site to run any program on the computer it sells, perhaps as far back as 1998. There are plenty of reasons a PC manufacturer might want to do this — remote support or updates, for instance — but it’s hard to think they justify leaving users’ PCs open to attack in such a wide-open way. Call us crazy, but it seems like PC makers should be helping to protect users when it comes to security, rather than making it easier for them to be attacked.
Comments on “Has Acer Left Its Customers Wide Open To Attacks?”
open door
Looks that way. Slashdot carried this earlier today and it took someone a couple of minutes to demonstrate a working exploit, nothing but a few lines of HTML and script that could launch arbitary applications. Replace that with an FTP script (arguments passed) to download something nasty and you’ve pwned the box.
(this is safe – it just launches calc)
http://yro.slashdot.org/comments.pl?sid=215582&cid=17506598
It’s a deliberate backdoor, and worse than that it’s been there for 8 years!
Yikes.
Re: open door
Faster than that, the example was in TFA before it was even posted! noone from /. even needed to copy/paste a thing.
But thats never stopped them.
Re: Re: open door
I agree. But if what Neal says is right then this whole caper is scandalous anyway and there’s plenty more exploits already around. Lord knows what other nice little tricks that function has been turned to. How many years? What have they done about it?
Let’s state this as clearly and simply as possible:
If you buy a computer with a pre-installed operating system or software you should not trust the security of that system.
Every admin and CTO should heed this and take it very seriously. Purchase your hardware sans operating system and install your own. It is a myth that you can only buy hardware with Windows installed, find a supplier that isn’t pressured to bundle by Microsoft – even if it costs more (the costs of wiping as well as reinstalling will be greater).
Do not buy bundled operating systems unless you want to leave yourself wide open. You cannot trust the supplier.
Re: Re: Re: open door
Thanks for the digested security principle, MH, I knew it in my gut but hadn’t quite found the solid resolution in my mind to state it as a law of security that I can stand firm on.
Re: Re: Re:2 open door
Welcome to a brave new and much, much smaller world matey. You have now officially graduated to the 0.1% of people who should actually be allowed to administrate computer systems. For an extra 10 point bonus name the “operating system” that you should not install
A) BSD
B) Solaris
C) Plan9
D) Microsoft Windows
E) OSX
clue: WORM SOWN DISC OF IT
(shame there wasn’t an extra S and H isnt it)
Old news, Surprised it's still around
I read about this several years ago. It’s amazing that it’s still around to be rediscovered after the focus on security of late. What a big dumbAcer.
Not Surprising
This is a windows exploit. Not a computer exploit. Did Acer/ Sony do a bad thing? Yes, however, this can be avoided by running an inherently more secure OS than the one that comes preinstalled.
Re: Not Surprising
Not even remotely close.
This is a plugin, not an exploit at all. Although this particular plugin was written using ActiveX, it COULD have been a java class, and preinstalled in any browser that supports java.
Re: Not Surprising
This isn’t a windows exploit. If you run a browser with privileged credentials which supports a plugin api (activex) which has a plugin which is designed specifically to run arbitrary code upon command by a web site, regardless of the OS, you can be owned.
If you dont run as admin, you can’t be owned. (I am well aware that most windows users run as admin)
If you dont run IE, you can’t be owned (I am well aware that most windows users use IE)
If you dont have this plugin installed, you can’t be owned (how can you call it an exploit in X if it requires installation of Y to actually exploit?)
The fact is, the exploit here is of acer’s stupidity and/or carelessness taken root in Microsoft’s incredibly overoptimistic security paradigms as expressed in far more software than just ‘windows’
**Class Action Lawsuit**
_.-;;-._
‘-..-‘| || |
‘-..-‘|_.-;;-._|
‘-..-‘| || |
‘-..-‘|_.-”-._|
Only an idiot...
would buy a machine and accept the operating system as good to do. With all the crapware pre-loaded on systems nowadays, whenever I get a new laptop or machine I first nuke it, de-partition it completely, repartition it how I want it, then rebuild it with my OS of choice.
I’ve had an Acer for years and never saw this problem – probably because I never used the system without a rebuild. The moment it came out of the box, I booted it straight to XP setup and reinstalled.
Re: Only an idiot...
Acer puts a nice little clause in with machines now. Destroy installed information, you void the warranty.
The recent Acer 5100 I purchased had no less than 3 FAT32 partitions on it – Primary+Mirror and Recovery. A 100GB disk emasculated into something resembling 36GB. That, and all the crapware that was installed made it necessary to resinstall a fresh copy of *anything.*
Warranty? Meet Ghost.
And the moral of the story is...
Don’t buy Acer. Just that simple. Regardless of how screwed up Windows may be, Acer deliberately exploited the system to take control of the conumer’s machine with no regard for how this might compromise their security overall.
Without a substantial loss in consumer confidence that translates immediately into lost sales, there is no incentive for other companies to behave any better.
In short, make the world a better place – don’t buy an Acer.
While you are at it – don’t buy Sony.
Re: And the moral of the story is...
Only problem with that is, when you start keeping a hit list of companies to avoid, sooner or later, every company on the planet is on that list, because, by and large, they’re all a buncha f***tards.
The posts above saying don’t trust someone else’s install, make your own (and Ghost it if you have to in order to stay in warranty) are right on the money. Because the real moral if you need one, is the age-old “if you wanna get something done right, do it yourself”.
Otherwise you’ll carry that mantra to extreme, avoiding all manufacturers and be reduced to making your own microchips from raw silicon, etc. Maybe *YOU* can do it, if so, kudos, but it’s a waste of my time.