In association with heise online

09 January 2007, 13:58

Dangerous backdoor in Acer laptops [Update]

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Many Acer laptops have a dangerous backdoor, which can be used by websites to gain complete control over the laptop. The problem lies with the LunchApp.APlunch Active X control, which is installed by default and which heise Security found on all the Acer laptops it tested, including a brand new TravelMate, which happened to be in the c't editorial suite for testing. Visiting a test website, which was easily set up, started the Windows calculator on this system without user interaction.

The control, with class ID D9998BD0-7957-11D2-8FED-00606730D3AA, is marked as safe for scripting by the manufacturer, so that any website can call it and control it using JavaScript. Using the Run method, it would be possible to launch any program on the system at will, and even pass parameters to programs it is launching. It would, for example, be possible to download and install a keylogger. Under Internet Explorer 6, this works without any user interaction. IE7, however, does not allow automatic starts and asks the user for start permission. Once an IE7 user has allowed the control to be run, however, no further warnings will be displayed. Using this test webpage, you can check whether your Acer laptop is vulnerable. If it launches the Windows calculator (C:\windows\system32\calc.exe), your system is vulnerable. If nothing happens, the demo has not worked.

Since the associated file, LunchApp.ocx, is dated 1998, it can be assumed that it has been being supplied on Acer laptops for some time. It is not clear what its original purpose was, LaunchManager is not dependent on this control. Even an Acer rep admitted to heise Security that it looked as if it had simply been forgotten. Removing it does not cause any loss of performance on the system tested.

If the control is installed, the above class ID string will be present in the registry. From Windows XP Service Pack 2 onwards it can also be found as LunchApp.APlunch under "Tools/Internet options/Programs/Manage Add-ons", where it can also be deactivated. Alternatively, you can stop it from launching from Internet Explorer using a killbit and delete or rename the file C:\windows\system\LunchApp.ocx.

The problem was reported by Tan Chew Keong back in November. Acer have confirmed to heise Security that they are working on a patch and have modified their production procedures from the second half of December. Systems currently in the warehouse may well, therefore, be affected. Acer intends to publish an official response in the next few days and to make a patch available to its customers.

Meanwhile Acer provides an official security patch to remedy this problem.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit