Has Acer Left Its Customers Wide Open To Attacks?

from the security? dept

Mon, Jan 8th 2007 9:55am — Carlo Longino

Sony BMG got itself in a bit of hot water when it was discovered that some of the company's CDs installed rootkits on consumers' PCs. It remains a sticky subject a year later, not just for Sony, but for other companies who want to use similar types of products to exert an inordinate amount of control over a user's computer. Now, some people are wondering if Acer has been installing an ActiveX script that allows a web site to run any program on the computer it sells, perhaps as far back as 1998. There are plenty of reasons a PC manufacturer might want to do this -- remote support or updates, for instance -- but it's hard to think they justify leaving users' PCs open to attack in such a wide-open way. Call us crazy, but it seems like PC makers should be helping to protect users when it comes to security, rather than making it easier for them to be attacked.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

misanthropic humanist, 8 Jan 2007 @ 10:10am

open door
Looks that way. Slashdot carried this earlier today and it took someone a couple of minutes to demonstrate a working exploit, nothing but a few lines of HTML and script that could launch arbitary applications. Replace that with an FTP script (arguments passed) to download something nasty and you've pwned the box.

(this is safe - it just launches calc)

http://yro.slashdot.org/comments.pl?sid=215582&cid=17506598

It's a deliberate backdoor, and worse than that it's been there for 8 years!

Yikes.
[ link to this | view in chronology ]
- Bumbling old fool, 8 Jan 2007 @ 10:21am
  
  Re: open door
  Faster than that, the example was in TFA before it was even posted! noone from /. even needed to copy/paste a thing.
  
  But thats never stopped them.
  [ link to this | view in chronology ]
  - misanthropic humanist, 8 Jan 2007 @ 11:38am
    
    Re: Re: open door
    I agree. But if what Neal says is right then this whole caper is scandalous anyway and there's plenty more exploits already around. Lord knows what other nice little tricks that function has been turned to. How many years? What have they done about it?
    
    Let's state this as clearly and simply as possible:
    
    If you buy a computer with a pre-installed operating system or software you should not trust the security of that system.
    
    Every admin and CTO should heed this and take it very seriously. Purchase your hardware sans operating system and install your own. It is a myth that you can only buy hardware with Windows installed, find a supplier that isn't pressured to bundle by Microsoft - even if it costs more (the costs of wiping as well as reinstalling will be greater).
    
    Do not buy bundled operating systems unless you want to leave yourself wide open. You cannot trust the supplier.
    [ link to this | view in chronology ]
    - Anonymous Coward, 8 Jan 2007 @ 12:20pm
      
      Re: Re: Re: open door
      Thanks for the digested security principle, MH, I knew it in my gut but hadn't quite found the solid resolution in my mind to state it as a law of security that I can stand firm on.
      [ link to this | view in chronology ]
      - misanthropic humanist, 8 Jan 2007 @ 1:58pm
        
        Re: Re: Re: Re: open door
        Welcome to a brave new and much, much smaller world matey. You have now officially graduated to the 0.1% of people who should actually be allowed to administrate computer systems. For an extra 10 point bonus name the "operating system" that you should not install
        
        A) BSD
        B) Solaris
        C) Plan9
        D) Microsoft Windows
        E) OSX
        
        clue: WORM SOWN DISC OF IT
        (shame there wasn't an extra S and H isnt it)
        [ link to this | view in chronology ]
Neal, 8 Jan 2007 @ 10:18am

Old news, Surprised it's still around
I read about this several years ago. It's amazing that it's still around to be rediscovered after the focus on security of late. What a big dumbAcer.
[ link to this | view in chronology ]
HotGARBAGE, 8 Jan 2007 @ 11:29am

Not Surprising
This is a windows exploit. Not a computer exploit. Did Acer/ Sony do a bad thing? Yes, however, this can be avoided by running an inherently more secure OS than the one that comes preinstalled.
[ link to this | view in chronology ]
- Bumbling old fool, 8 Jan 2007 @ 11:45am
  
  Re: Not Surprising
  Not even remotely close.
  
  This is a plugin, not an exploit at all. Although this particular plugin was written using ActiveX, it COULD have been a java class, and preinstalled in any browser that supports java.
  [ link to this | view in chronology ]
- Anonymous Coward, 8 Jan 2007 @ 12:19pm
  
  Re: Not Surprising
  This isn't a windows exploit. If you run a browser with privileged credentials which supports a plugin api (activex) which has a plugin which is designed specifically to run arbitrary code upon command by a web site, regardless of the OS, you can be owned.
  
  If you dont run as admin, you can't be owned. (I am well aware that most windows users run as admin)
  
  If you dont run IE, you can't be owned (I am well aware that most windows users use IE)
  
  If you dont have this plugin installed, you can't be owned (how can you call it an exploit in X if it requires installation of Y to actually exploit?)
  
  The fact is, the exploit here is of acer's stupidity and/or carelessness taken root in Microsoft's incredibly overoptimistic security paradigms as expressed in far more software than just 'windows'
  [ link to this | view in chronology ]
Anonymous Coward, 8 Jan 2007 @ 1:31pm

**Class Action Lawsuit**

_.-;;-._
'-..-'| || |
'-..-'|_.-;;-._|
'-..-'| || |
'-..-'|_.-''-._|
[ link to this | view in chronology ]
Shaltenn, 8 Jan 2007 @ 2:26pm

Only an idiot...
would buy a machine and accept the operating system as good to do. With all the crapware pre-loaded on systems nowadays, whenever I get a new laptop or machine I first nuke it, de-partition it completely, repartition it how I want it, then rebuild it with my OS of choice.

I've had an Acer for years and never saw this problem - probably because I never used the system without a rebuild. The moment it came out of the box, I booted it straight to XP setup and reinstalled.
[ link to this | view in chronology ]
- Gryphon, 8 Jan 2007 @ 2:51pm
  
  Re: Only an idiot...
  Acer puts a nice little clause in with machines now. Destroy installed information, you void the warranty.
  
  The recent Acer 5100 I purchased had no less than 3 FAT32 partitions on it - Primary+Mirror and Recovery. A 100GB disk emasculated into something resembling 36GB. That, and all the crapware that was installed made it necessary to resinstall a fresh copy of *anything.*
  
  Warranty? Meet Ghost.
  [ link to this | view in chronology ]
Anonymous Coward, 8 Jan 2007 @ 7:56pm

And the moral of the story is...
Don't buy Acer. Just that simple. Regardless of how screwed up Windows may be, Acer deliberately exploited the system to take control of the conumer's machine with no regard for how this might compromise their security overall.
Without a substantial loss in consumer confidence that translates immediately into lost sales, there is no incentive for other companies to behave any better.
In short, make the world a better place - don't buy an Acer.
While you are at it - don't buy Sony.
[ link to this | view in chronology ]
- Jeff, 9 Jan 2007 @ 3:45am
  
  Re: And the moral of the story is...
  Only problem with that is, when you start keeping a hit list of companies to avoid, sooner or later, every company on the planet is on that list, because, by and large, they're all a buncha f***tards.
  
  The posts above saying don't trust someone else's install, make your own (and Ghost it if you have to in order to stay in warranty) are right on the money. Because the real moral if you need one, is the age-old "if you wanna get something done right, do it yourself".
  
  Otherwise you'll carry that mantra to extreme, avoiding all manufacturers and be reduced to making your own microchips from raw silicon, etc. Maybe *YOU* can do it, if so, kudos, but it's a waste of my time.
  [ link to this | view in chronology ]