The flaw, identified by security supplier eEye, concerns a signed ActiveX control called acpRunner, which could be considered trusted as it appears to come from IBM. However, eEye said if users trust IBM, they will run this control and their systems will be compromised.
The ActiveX control, which runs on Windows-based systems, was designed by IBM to provide automated support for its PCs. However, eEye said IBM has made available functions in the ActiveX control with names such as "DownLoadURL", "SaveFilePath", and "Download".
According to eEye, such functions could allow remote attackers to force a victim system to download a file into a location of their choosing. By downloading an executable file to the Startup folder, this malicious file would automatically be opened on start up, eEye claimed.
Although the auto-support technology has been superseded, IBM urged users to download the patch.
It said, "A security update is available that will protect your computer by correcting the identified issue; we recommend you install it immediately."