IBM releases patch to fix ActiveX support


IBM releases patch to fix ActiveX support

Cliff Saran
IBM has issued a patch to fix a flaw in its automated PC support technology.

The flaw, identified by security supplier eEye, concerns a signed ActiveX control called acpRunner, which could be considered trusted as it appears to come from IBM. However, eEye said if users trust IBM, they will run this control and their systems will be compromised.

The ActiveX control, which runs on Windows-based systems, was designed by IBM to provide automated support for its PCs. However, eEye said IBM has made available functions in the ActiveX control with names such as "DownLoadURL", "SaveFilePath", and "Download".

According to eEye, such functions could allow remote attackers to force a victim system to download a file into a location of their choosing. By downloading an executable file to the Startup folder, this malicious file would automatically be opened on start up, eEye claimed.

Although the auto-support technology has been superseded, IBM urged users to download the patch.

It said, "A security update is available that will protect your computer by correcting the identified issue; we recommend you install it immediately."

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy