Hackers could use two of IBM ActiveX controls designed for automated PC support to attack PCs through the Internet Explorer browser, according to security firm eEye Digital Security.
The company found flaws in the eGatherer 2.0.0.16 and acpRunner 1.2.5.0 ActiveX controls -- the first of which is installed by default on many IBM PCs -- that could allow attackers to write malicious files anywhere on a computer's hard disk via a special Web page. Because the controls are signed by IBM Corp., users who agree to "trust" IBM components could be compromised, eEye said in two advisories last week. The company published example exploits for both controls.
Also last week, Linux vendors began patching several new, but less serious holes in the 2.6 and 2.4 kernels and in the Gentoo and Debian distributions.
The controls are simply badly designed, according to eEye, making available unsafe methods of accessing a user's PC. "ActiveX is a very profound Web technology. As a profound Web technology it may be abused," wrote eEye in its advisory. "Designers might create an ActiveX which could perform any function on an user's computer. The responsibility rests with the creator of the ActiveX, as in any trust model."
IBM has released a fix for the problem on its website. Security tools such as eEye's Retina Network Security Scanner are also capable of protecting PCs.
The hole is similar in some ways to two linked flaws in Internet Explorer publicized earlier this month. Those flaws also allowed a malicious Web page to write files onto a user's hard drive without being detected. In that case, the bug was already being exploited by Web pages in order to place spyware on users' PCs. The earlier exploit also made use of a "help" file.
Because Internet Explorer and its connected technologies thoroughly dominate the Web browser market, attackers tend to focus their efforts on the software, industry analysts say. This situation makes a convincing case for businesses to switch to another browser, such as Mozilla or Opera, according to some security experts.