Automated Solutions from IBM/Lenovo creates vulnerability
The Automated Solutions software package from IBM/Lenovo, which supports web-interactive system diagnostics and optimisation, introduces a security vulnerability. The software installs an ActiveX module containing vulnerabilities that may allow attackers to inject and execute remote code via specially crafted websites. An update to eliminate the problem is available.
US-CERT has reported multiple security vulnerabilities in the acpRunner ActiveX component, which is contained in the AcpController.dll library. Its function is to download, extract and run software. acpRunner incorrectly verifies digital signatures in downloaded software, possibly allowing attackers to download arbitrary program code onto the computer. The module also contains a format string vulnerability that can be exploited to execute remote code using specially crafted request parameters in websites. Since the module does not verify the domain from which the software originates, attackers can exploit the vulnerabilities from arbitrary websites.
IBM/Lenovo has provided the fix pack 1 download to correct these flaws. It updates the files acpcontroller.dll on Version 220.127.116.11 and acpir.dll on Version 18.104.22.168. IBM/Lenovo does not indicate what vulnerabilities have been eliminated in the second file. Users of Automated Solutions should download and install the update as soon as possible.
Support software from both desktop and notebook computer manufacturers frequently contains security vulnerabilities. Acer and HP have already had to release updates for their support software this year. Since most manufacturers post software updates on their websites, users would be well advised to forego installing the support software supplied with the computer and instead regularly visit the manufacturer websites to find the latest updates.
- IBM and Lenovo Access Support acpRunner ActiveX control fails to validate digital signatures, security advisory from US-CERT
- IBM and Lenovo Access Support acpRunner ActiveX control format string vulnerability, security advisory from US-CERT
- IBM and Lenovo Access Support acpRunner ActiveX control fails to restrict access to methods, security advisory from US-CERT
- Download of the fix pack for IBM/Lenovo Automated Solutions