Hackers could use two IBM ActiveX controls designed for automated PC support to attack PCs through the Internet Explorer browser, according to security firm eEye.
The company found flaws in the eGatherer 22.214.171.124 and acpRunner 126.96.36.199 ActiveX controls - the first of which is installed by default on many IBM PCs - that could allow attackers to write malicious files anywhere on a computer's hard disk via a special Web page. Because the controls are signed by IBM, users who agree to "trust" IBM components could be compromised, eEye said in two advisories last week. The company published example exploits for both controls.
Also last week, Linux vendors began patching several new, but less serious holes in the 2.6 and 2.4 kernels and in the Gentoo and Debian distributions.
The controls are simply badly designed, according to eEye, making available unsafe methods of accessing a user's PC. "ActiveX is a very profound Web technology. As a profound Web technology it may be abused," wrote eEye in its advisory. "Designers might create an ActiveX which could perform any function on an user's computer. The responsibility rests with the creator of the ActiveX, as in any trust model."
IBM has released a fix for the problem on its website. Security tools such as eEye's Retina Network Security Scanner are also capable of protecting PCs.
The hole is similar in some ways to two linked flaws in Internet Explorer publicised earlier this month. Those flaws also allowed a malicious Web page to write files onto a user's hard drive without being detected. In that case, the bug was already being exploited by Web pages in order to place spyware on users' PCs. The earlier exploit also made use of a "help" file.
Because Internet Explorer and its connected technologies thoroughly dominate the Web browser market, attackers tend to focus their efforts on the software, industry analysts say. This situation makes a convincing case for businesses to switch to another browser, such as Mozilla or Opera, according to some security experts.
Linux vendors Red Hat and Trustix last week said they had discovered vulnerabilities in several drivers in the Linux 2.6 kernel, allowing local users to elevate their privileges or gain access to the kernel memory. The bugs, affecting the aironet, asus_acpi, decnet, mpu401, msnd, and pss drivers, were discovered through a review of the 2.6 kernel source code, but some of them also affect the 2.4 kernel, Trustix said.
Gentoo Linux reported a bug in a popular spell-checking program called aspell, affecting versions up to 0.50.5-r1, which could allow a malicious user to execute the code of their choice on the system. The most recent version of the package corrects the problem. Security firm Secunia said the bug could be used to execute malicious code remotely, with the privileges of the user, but would require extensive social engineering.