The US Computer Emergency Readiness Team (US-CERT) has warned users of Acer notebooks that a pre-installed ActiveX control could be used by hackers to take over vulnerable computers.
According to the agency, if a hacker convinced a user to visit a website using Internet Explorer, they could subvert the system by running arbitrary code with the privileges of the user. The Acer LunchApp ActiveX control is provided by LunchApp.ocx. It contains a method called Run(), which takes three parameters: Drive, FileName, and CmdLine.
"Although the control is not inherently marked as safe for scripting via the IObjectSafety interface, it may be distributed with the appropriate Implemented Categories registry key to make it safe for scripting," the agency said on its website. "This means that a web page in Internet Explorer can call the Run() method of the control."
Acer issued an update called Acer Preload Security Patch for Windows XP. This patch unregisters and deletes the LunchApp.ocx file if it is present in the Windows System directory.
The vulnerability was originally discovered by Tan Chew Keong. He wrote on his blog that he found the vulnerability on his Acer TravelMate 4150 notebook and the ActiveX control was part of the suite of applications distributed on Acer notebooks going as far back as November 1998.
