dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
13895
share rss forum feed


vircotto

join:2002-06-04
searching...

Acer puts Active X hole on laptops

There is a link to this article in Morning Broadband Bytes: »www.theinquirer.net/default.aspx···le=36773

Here's the gist:

LAPTOP OUTFIT Acer seems to have placed an Active X control on its computers that seems to allow webpages to execute any program. ... The exploit was found by Tan Chew Keong.... He smelt a rat when he noticed that his Acer TravelMate 4150 notebook contained a LunchApp.APlunch ActiveX control, which is marked as "safe for scripting" and "safe for initialising from persistent data".
I know two or three people who have Acer laptops. Would it be safe for me to recommend that they delete that ActiveX control? And would that be accomplished by finding and deleting a file named "LunchApp.APlunch"?

Thanks!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

My advice to anyone who buys a new PC or laptop especially some of those Dell's would be to wipe it clean, reformat the whole drive and then have a tech reinstall the OS..nowdays all those "manufactures" put so much junk on the machine you are really buying a can of spam and junk third party proggies..unstable machines..and not just the hardware. No user will ever be in full control of the machine until the do.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
reply to vircotto

But to be honest with you..I am confused about all this write up on the Acer...and they call it LunchApp.APlunch ????

I thought it was LaunchApp

»www.castlecops.com/s1820-LaunchApp.html

Did Tan Chew Keong take it out to Lunch ?

*****************************************

Description:
alaunch.exe is a process which is bundled with Acer laptops and provides additional diagnostic functions for your laptop. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

O4 - HKLM\..\Run: [LaunchApp] Alaunch

C:\PROGRA~1\LAUNCH~1\LManager.exe

--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to vircotto

lmanager.exe is a process associated with Acer Launch Manager from Dritek System Inc..

U Launchboard lnchbrd.exe "LaunchBoard software from Darwin turns your keyboard into a remote control for the Internet and your computer! With LaunchBoard 2.0, you can customize up to 38 keys on your PC keyboard to instantly launch Web Sites, start applications, perform custom macros, handle Windows shortcuts, store passwords, and perform loads of other customizable functions"
U LaunchApp Alaunch.exe Acer Launch tool utility on laptops
U LaunchAp LaunchAp.exe Part of Acer Launch Manager - programmable keys on such laptops as the TravelMate 610

Author: Dritek System Inc.
Part Of: Acer Launch Manager

LManager.exe file information
The process Acer Launch Manager Keyboard Application belongs to the software Acer Launch Manager by Dritek System Inc (www.dritek.com.tw).

Description: File LManager.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 495616 bytes (50% of all occurrence), 483328 bytes, 471040 bytes.
There is an icon for this program on the taskbar next to the clock. It is not a Windows system file. Therefore the technical security rating is 24% dangerous.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/



vircotto

join:2002-06-04
searching...
reply to vircotto

NG,

Okay, you've confused me. (Really, not that hard to do!)

I'm pretty sure that LunchAPP.APlunch is the ActiveX control in question. I've found a site where on 11/19/06 Tan Chew Keong presented information:
»vuln.sg/acerlunchapp-en.html

He only tested on two Acer notebooks as that was all he had access to. He does provide some test code that launches calc.exe.

Also, I found this:
»nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6121



MarkAW
Barry White
Premium
join:2001-08-27
Canada
kudos:16
reply to vircotto

said by vircotto:

There is a link to this article in Morning Broadband Bytes: »www.theinquirer.net/default.aspx···le=36773
I know two or three people who have Acer laptops. Would it be safe for me to recommend that they delete that ActiveX control? And would that be accomplished by finding and deleting a file named "LunchApp.APlunch"?

Thanks!
According to the article it says " Those who have disabled ActiveX when they upgraded to IE7 can rest easy." So my question is have any of the people you know done this to their Acer laptops.
--
"Sometimes one pays most for the things one gets for nothing." - Albert Einstein (1879-1955)


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to vircotto

said by vircotto:

NG,

Okay, you've confused me. (Really, not that hard to do!)

I'm pretty sure that LunchAPP.APlunch is the ActiveX control in question. I've found a site where on 11/19/06 Tan Chew Keong presented information:
»vuln.sg/acerlunchapp-en.html

He only tested on two Acer notebooks as that was all he had access to. He does provide some test code that launches calc.exe.

Also, I found this:
»nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6121
Yup and I see all of the links out there about a lunchapp thingie all points to his info..or others who just linked to or copied his warning...BUT since I myself do not have one of those laptops..and since [LaunchApp] Alaunch is surely part of Acer stuff..I am trying to figure out myself if he just has a 'typo' in his write up..and he really mean Launch...or he did find a lunch and it is not even part of Acer stuff and might be a bad boy..so hope that someone who has an Acer laptop can really confirm it is lunch for the activeX..since to me that would be very strange.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/


jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland

2 recommendations

reply to Name Game

said by Name Game:

My advice to anyone who buys a new PC or laptop especially some of those Dell's would be to wipe it clean, reformat the whole drive and then have a tech reinstall the OS..
Unfortunally some manufactorers/resellers do NOT provide you with clean install XP cdroms, but rather their OWN restore cdroms...or in some cases simply some bizarre "recovery feature" (like hidden image stored in unpartitioned hdd space) that can only be activated with some bizarre programX inside the computer. This sucks. Really.

All what I want from manufactorer is XP:s install cdrom and possibly the drivers disk (or simply mentions about what drivers are needed). Thats all I need.
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to vircotto

Yup..I know Markus and that really sucks..

@Vircotto

I am still not convinced on all this myself..you see calc.exe has been exploited many times in the past..here are a few examples ..

W32/Bagle@MM , W32/HLL.cmp.406528 , Win32.Dumaru.A,

HLLC.HappyFlowers, W32.Walcomp

»www.symantec.com/security_respon···-4618-99

so i still wonder if Tan Chew Keong might just have found infected laptops..and there is a lunch thigie associated with it..and it's a new exploit.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/



novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH

1 recommendation

reply to jansson_mark

said by jansson_mark:

said by Name Game:

My advice to anyone who buys a new PC or laptop especially some of those Dell's would be to wipe it clean, reformat the whole drive and then have a tech reinstall the OS..
Unfortunally some manufactorers/resellers do NOT provide you with clean install XP cdroms, but rather their OWN restore cdroms...or in some cases simply some bizarre "recovery feature" (like hidden image stored in unpartitioned hdd space) that can only be activated with some bizarre programX inside the computer. This sucks. Really.

All what I want from manufactorer is XP:s install cdrom and possibly the drivers disk (or simply mentions about what drivers are needed). Thats all I need.
Know what you mean. The restore info isnt so much on unpartioned space its on a hidden (only from windows) partion. Its visable on most through good old fdisk if not fdisk its visable from a linux boot or live cd. Been a while sense i used fdisk but i beleive it has a option in there some where to create a hidden partion. Or maybe you simply leave them as a inactive partion.

The so called restore cds are more often than not the program x you mention and all the restore data or at least most is on the partion.

The single biggest problem with such partions is even though windows do not see them some truely nasty little viris and trojans do and because these are almost never more than fat 32 partions no security rules effect the partion. Non admins have full read right delete access to said partion.

So basically you execute viri x as non admin limited user and nothing happens then one day you decide youve got to much crap on your comp and restore to factory default. Now this viri x gets installed during restore and your screwed.

Lucky for all of us these little nasties are few and far between. Ive seen 3 examples of them in something like 8 years of cleaning up infections.

As for the whole not including a xp/os disk that just pisses me off. Personally i dont care one way or the other. I can get xp pro full retail version for 150. The guy who i buy from will be selling the vista ultimate edition just as relitivly cheap when its released same for all other versions. When i bought my xp pro i paid 199 instead of 299 so i fully expect vista ultimate to be about 200 cheaper from him than any where else.

Want cheap and 100% legal copies of windows oses shop the mom and pop shops. Forget online sales forget big retailers go mom and pop shops. The way such shops see it if they can cut you a great deal on a computer or hardware or software youll bring them all your buissness. Then they can make more of your hard earned money even when something might be a little more expensive.
--
Evil does exist and it has a face to often that face is one that should look on their child with love in their eyes.

Instead only hate exists in those eyes.


jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2

2 edits
reply to vircotto

Getting back to the original topic for a moment, this does *NOT* appear to be a typo.

I have a fairly new Acer laptop myself (unfortunately, I don't have it here at home at the moment...but plan to check as soon as I can).

However, while I'm familiar with the harmless Acer Launch Manager utility, a google search brings up a fair amount of info concerning this "Lunch"App active-x control.

It's funny, even Google wants to correct me when I search specifically for this LunchApp.ocx to be sure I didn't mean "Launchapp.ocx".
»www.google.com/search?q=LunchApp···&oe=utf8

As you can see, there seems to be a lot of fuss about this "LUNCH"

Or here's a search for LunchApp.APlunch
»www.google.com/search?q=LunchApp···&oe=utf8

Acer Laptop users can probably "search all files and Folders" for the actual LunchApp.ocx and see if it resides somewhere.....something I'll do when I can.

In the mean time, I think I'll read a little bit more about this.

(Edit) Well,I see a lot of these links point back to "Tan Chew Keong's" findings, but I still think this thing exists and may be a problem for some.
--
I had a life once.....now I have a Computer and a Modem.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

Yes..glad you came to the same conclusion. There is a Launch thingie called O4 - HKLM\..\Run: [LaunchApp] Alaunch
Many people have posted hijackthis logs who have ACER PORTABLE with this running..so this is a fact.

What appears to be not correct is the presence of any LunchApp.

So I suggest anyone that finds such an entry of LunchApp.APlunch ActiveX control that this could be an infection..I doubt is is part of Acer installed software..and the first thing I would do is post a highjackthis log from that machine at this link forum
»Security Cleanup
and let some experts take a look at it.

--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/



Owlbet
Ignite the Ice
Premium,MVM
join:2002-09-24
Palmer, AK

1 recommendation

reply to Name Game

said by Name Game:

My advice to anyone who buys a new PC or laptop especially some of those Dell's would be to wipe it clean, reformat the whole drive and then have a tech reinstall the OS..nowdays all those "manufactures" put so much junk on the machine you are really buying a can of spam and junk third party proggies..unstable machines..and not just the hardware. No user will ever be in full control of the machine until the do.
said by jansson_mark:

Unfortunally some manufactorers/resellers do NOT provide you with clean install XP cdroms, but rather their OWN restore cdroms...or in some cases simply some bizarre "recovery feature" (like hidden image stored in unpartitioned hdd space) that can only be activated with some bizarre programX inside the computer. This sucks. Really.

All what I want from manufactorer is XP:s install cdrom and possibly the drivers disk (or simply mentions about what drivers are needed). Thats all I need.
I learned long ago to order recovery CDs when purchasing computers from Dell. I've also purchased computers "off the shelf" from Wal*Mart.

HP (Hewlett Packard) is the worse for loading it's junk on the same CD as the operating system. I've had the misfortune of owning two HP OEM computers and both recovery CDs included Back Web, AOL Free Trial Offers, etc. This useless garbage is reinstalled when the operating system is reinstalled.

Dell, however, only includes the operating system on their Recovery CD and none of the Dell-branded junk. Drivers are on another CD. In September, I purchased another Dell computer and even before that computer ever connected to the internet, the hard drive was wiped clean and the operating system reloaded. No junk was reinstalled along with the operating system.


Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13
reply to vircotto

from
»www.securityfocus.com/brief/404
"..
Computer maker Acer has shipped its notebook computers with an ActiveX control that lets any Web site install software on the machine, security researchers warned this week.

The ActiveX control--named LunchApp.ocx--appears to be a way for the company to easily update customer laptops, but also allows others to do the same thing, antivirus firm F-Secure stated in a blog post on Tuesday. The security problem, first discovered in November by security researcher Tan Chew Keong, was confirmed by antivirus F-Secure.
.."

Cudni
--
Some are born to failure, others achieve it, all deserve it.
Help yourself so God can help you.
MVP, Microsoft Windows Security 2006



lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
kudos:57

Aye..it's on my Acer



tomazyk

join:2006-12-04
reply to vircotto

I found this active-x control on my laptop. It's not on my IE7 list of used addons and active- x controls so I guess I don't need it. Just to be on a safe side I will rename the file, if acer would need that control it would probably ask me to download it. So no harm done.



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to vircotto

Those with Acer computers might wish to check out this link to Heise Security:
»www.heise-security.co.uk/news/83426

"Many Acer laptops have a dangerous backdoor, which can be used by websites to gain complete control over the laptop. The problem lies with the LunchApp.APlunch Active X control, which is installed by default and which heise Security found on all the Acer laptops it tested, including a brand new TravelMate, which happened to be in the c't editorial suite for testing. Visiting a test website, which was easily set up, started the Windows calculator on this system without user interaction.

The control, with class ID D9998BD0-7957-11D2-8FED-00606730D3AA, is marked as safe for scripting by the manufacturer, so that any website can call it and control it using JavaScript. Using the Run method, it would be possible to launch any program on the system at will, and even pass parameters to programs it is launching. ..."

Apparently, it's possibly been on Acer laptops dating to 1998.

"Even an Acer rep admitted to heise Security that it looked as if it had simply been forgotten. Removing it does not cause any loss of performance on the system tested."
--
If God wanted us to work with electrons, He'd make them big enough to see...



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to vircotto

Ok I owe you all a free lunch do you want that breaded or raw.ocx


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

said by Name Game:

Ok I owe you all a free lunch do you want that breaded or raw.ocx
Thanks, but I'll have to pass on mine... for some time, I've been on an ActiveX-free diet.
--
If God wanted us to work with electrons, He'd make them big enough to see...


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

said by Blackbird:

said by Name Game:

Ok I owe you all a free lunch do you want that breaded or raw.ocx
Thanks, but I'll have to pass on mine... for some time, I've been on an ActiveX-free diet.
That's a relief..would not want anyone to launch their lunch all over the thread..thanks again to all those who helped make DSLR security forum once again a place where you can sort out fact from friction.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/


fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14

3 recommendations

reply to Blackbird

»www.heise-security.co.uk/news/83426

quote:
Update:
Meanwhile Acer provides an official security patch to remedy this problem.
--
Me, I want a hula hoop..


vircotto

join:2002-06-04
searching...
reply to vircotto

Thanks, fatness, for that link. (I couldn't find this on Acer's Pan-American site and now sections of that support site are generating ColdFusion errors when I try to view them.) I didn't think to look at their Euro site!

And thanks to the others, and esp. NG for being critical (in the good way!) and courteous.



La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

1 edit
reply to vircotto

Thank you fatness See Profile!

*sigh*

Guess I have to get this patch for my laptop. Has anyone looked at it yet? After unzipping, then what? I'm not on the laptop so I haven't downloaded it yet.



mers2
Premium,MVM
join:2004-03-20
USA
kudos:8

said by La Luna:

Thank you fatness See Profile!

*sigh*

Guess I have to get this patch for my laptop. Has anyone looked at it yet? After unzipping, then what? I'm not on the laptop so I haven't downloaded it yet.
Just downloaded it and checked the zip file. It's a single executable. "AcerAppFix.exe" which I haven't run yet. Will wait til after I'm done hosting the updates sticky tomorrow before updating in case it screws something up.
--
Team Discovery


lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
kudos:57

1 recommendation

reply to fatness

Thanks for posting that

I executed it on my laptop last evening..with no problems to report at all.



Derspankster
Premium
join:2003-02-12
Marion, OH

Thanks for the post and link. I just downloaded and ran the patch.
--
I thought I made a mistake once but I was wrong



captokita
Premium
join:2005-02-22
Calabash, NC
reply to vircotto

Good grief. I'll have to grab that patch fatness posted.

Can you just uninstall the backweb-type stuff completely? I don't need, or really want, my laptop calling home to Acer (or anyone) for anything.



koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
reply to vircotto

One more reason Oem manufacutures need to be forced to provide 3 things.
1. Windows Hologram CD
2. Driver CD
3. Software CD {IE all the trash programs that are forced on ya IE Nortan et..... to be in complience with there contracts.}

LIke it used to be back in the day.
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay!!
Ya Don't Know The signal Till Ya Ride It!!
Voice Break's There's Trouble!!



Derspankster
Premium
join:2003-02-12
Marion, OH

1 recommendation

said by koma3504:

One more reason Oem manufacutures need to be forced to provide 3 things.
1. Windows Hologram CD
2. Driver CD
3. Software CD {IE all the trash programs that are forced on ya IE Nortan et..... to be in complience with there contracts.}

LIke it used to be back in the day.
Absolutely! But, how to make it happen? The only OEM machine I own is my laptop. If I could have built my own laptop, I would have. The only software that came with my Acer laptop were the 'restore' disks. Now, why would I want to restore it to the sorry state that it was shipped?
--
I thought I made a mistake once but I was wrong


jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2

2 edits
reply to vircotto

Finally had a chance to test my Acer 5102, and the LunchApp.ocx did in fact reside in my Windows\System Folder.

And dated 1998 just like the original link by Tan Chew Keong:
»vuln.sg/acerlunchapp-en.html

I generally use Opera, but I tested it with IE7 and simply got a warning that it wanted to run.
And the simple test to launch Calc.exe (or any other .exe for that matter), is so simple it's downright scary.

Anyway, I played around with mine before I came back to this thread, so I didn't see the 'patch' offered by Acer until now.

Instead, I unregistered the file and then removed it as suggested in yet another article/'test' page that I came across.
»www.futt.org/?p=97#more-97

No adverse effects, and of course, no more 'warnings' on the test pages.

The only thing I haven't done yet is what was suggested in the last sentence of the above article:

quote:
Next, you should make one angry phone call to Acer for screwing you over like that...


--
I had a life once.....now I have a Computer and a Modem.