IBM releases patch to fix ActiveX support

IBM has issued a patch to fix a flaw in its automated PC support technology.

IBM has issued a patch to fix a flaw in its automated PC support technology.

The flaw, identified by security supplier eEye, concerns a signed ActiveX control called acpRunner, which could be considered trusted as it appears to come from IBM. However, eEye said if users trust IBM, they will run this control and their systems will be compromised.

The ActiveX control, which runs on Windows-based systems, was designed by IBM to provide automated support for its PCs. However, eEye said IBM has made available functions in the ActiveX control with names such as "DownLoadURL", "SaveFilePath", and "Download".

According to eEye, such functions could allow remote attackers to force a victim system to download a file into a location of their choosing. By downloading an executable file to the Startup folder, this malicious file would automatically be opened on start up, eEye claimed.

Although the auto-support technology has been superseded, IBM urged users to download the patch.

It said, "A security update is available that will protect your computer by correcting the identified issue; we recommend you install it immediately."



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT for small and medium-sized enterprises (SME)



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: