IBM releases patch to fix ActiveX support

IBM has issued a patch to fix a flaw in its automated PC support technology.

IBM has issued a patch to fix a flaw in its automated PC support technology.

The flaw, identified by security supplier eEye, concerns a signed ActiveX control called acpRunner, which could be considered trusted as it appears to come from IBM. However, eEye said if users trust IBM, they will run this control and their systems will be compromised.

The ActiveX control, which runs on Windows-based systems, was designed by IBM to provide automated support for its PCs. However, eEye said IBM has made available functions in the ActiveX control with names such as "DownLoadURL", "SaveFilePath", and "Download".

According to eEye, such functions could allow remote attackers to force a victim system to download a file into a location of their choosing. By downloading an executable file to the Startup folder, this malicious file would automatically be opened on start up, eEye claimed.

Although the auto-support technology has been superseded, IBM urged users to download the patch.

It said, "A security update is available that will protect your computer by correcting the identified issue; we recommend you install it immediately."

Read more on IT for small and medium-sized enterprises (SME)

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.