I originally published this blog at http://community.ca.com/blogs/securityadvisor
Published: January 11 2007, 01:32 PM by Benjamin Googins
There have been rumors floating across the net suggesting that the computer company Acer [www.acer.com] was supposedly bugging its computers via an ActiveX control. I managed to dig up a copy (may not be the exact file), and verified its functionality, and it does in fact allow an executable to be run on a local drive, even through an online script. Say, for example, if a user visits a website that tries to run something on his machine, Acer’s ActiveX control would allow it. There’s plenty of good information about the (de)merits of marking a component as “safe for scripting”.
Digging deeper into the control itself revealed that all it really does is accept three inputs from the calling script and using these parameters, it calls the standard API function WinExec to execute the requested program. And herein lies the conundrum. Does a company like Acer develop such software to spy on people? I think not. This control just seems to be a part of their standard install. Is there any need for such a control? Not really, there are better ways to do this. The control basically determines the type of drive the executable is to be loaded from and then executes it. That’s all. I’m assuming Acer uses it to get around scripting limitations for launching custom applications through a single interface, probably one that was built using HTML/script. Why? They can and, more than likely, because with any large software production there’s a lot of standardization. This may have seemed like a solution at the time.
Acer is not off the hook though. They marked it as “safe for scripting”, and that’s a definite no-no. It may have seemed like a viable option in 1998, but we’re now in 2007. The potential of this control (and many others like it) being exploited does present some security and privacy concerns. While Acer may not intend to use it for any malicious purpose, now that this information has been widely publicized, there are those who will most definitely use it as an additional vector to target their attacks. It doesn’t run anything off a remote server, just local commands on the ‘compromised’ machine. But in the hands of a skilled hacker, any utility on the local machine could then be started up and further exploited, or a carefully constructed command could further compromise such a machine.
If you do have this component on your machine, you’re a skilled computer administrator, and wish to de-register it, you can simply run the command:
regsvr32 /u %WINDIR%\system32\LunchApp.OCX
Caution: by de-registering this control, some of the software that depends on it may stop working. Also, without a dedicated test environment, we do not recommend testing this component.
After testing the control, I manually unregistered the component from my machine, ensured the relevant keys were removed from my registry, and deleted the file itself. On my machine, the LaunchManager still worked and its various components continued to function the way I was used to it working. It’s possible that by unregistering the application, advanced features of their suite may break or similarly may stop working for a different software version or on a different hardware model.
Unfortunately, the problems with this OCX are not unheard of. There are many such components that are similarly marked safe for scripting, that can be similarly exploited. In fact, remember the Month of Browser Bug (MoBB) [http://browserfun.blogspot.com] guys finding over 50 ActiveX Controls marked safe for scripting in a Popular Business software? Then there are real exploits, targeted attacks, and vulnerabilities that we need to worry about. To be truly well informed, please visit our Security Advisor [www.ca.com/securityadvisor] for up-to-date information on the threats.
This article was a joint effort by Benjamin Googins and Jay Tecksingani.
By: Benjamin Googins
Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..