News

IBM releases patch to fix ActiveX support

Cliff Saran
IBM has issued a patch to fix a flaw in its automated PC support technology.

The flaw, identified by security supplier eEye, concerns a signed ActiveX control called acpRunner, which could be considered trusted as it appears to come from IBM. However, eEye said if users trust IBM, they will run this control and their systems will be compromised.

The ActiveX control, which runs on Windows-based systems, was designed by IBM to provide automated support for its PCs. However, eEye said IBM has made available functions in the ActiveX control with names such as "DownLoadURL", "SaveFilePath", and "Download".

According to eEye, such functions could allow remote attackers to force a victim system to download a file into a location of their choosing. By downloading an executable file to the Startup folder, this malicious file would automatically be opened on start up, eEye claimed.

Although the auto-support technology has been superseded, IBM urged users to download the patch.

It said, "A security update is available that will protect your computer by correcting the identified issue; we recommend you install it immediately."

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy