vircotto
join:2002-06-04
Illinois
| Acer puts Active X hole on laptops
There is a link to this article in Morning Broadband Bytes: »www.theinquirer.net/default.aspx···le=36773
Here's the gist:
LAPTOP OUTFIT Acer seems to have placed an Active X control on its computers that seems to allow webpages to execute any program. ... The exploit was found by Tan Chew Keong.... He smelt a rat when he noticed that his Acer TravelMate 4150 notebook contained a LunchApp.APlunch ActiveX control, which is marked as "safe for scripting" and "safe for initialising from persistent data". I know two or three people who have Acer laptops. Would it be safe for me to recommend that they delete that ActiveX control? And would that be accomplished by finding and deleting a file named "LunchApp.APlunch"?
Thanks! |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| My advice to anyone who buys a new PC or laptop especially some of those Dell's  would be to wipe it clean, reformat the whole drive and then have a tech reinstall the OS..nowdays all those "manufactures" put so much junk on the machine you are really buying a can of spam and junk third party proggies..unstable machines..and not just the hardware. No user will ever be in full control of the machine until the do.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
2 edits | reply to vircotto
But to be honest with you..I am confused about all this write up on the Acer...and they call it LunchApp.APlunch ????
I thought it was LaunchApp
»www.castlecops.com/s1820-LaunchApp.html
Did Tan Chew Keong take it out to Lunch ? 
*****************************************
Description:
alaunch.exe is a process which is bundled with Acer laptops and provides additional diagnostic functions for your laptop. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.
O4 - HKLM\..\Run: [LaunchApp] Alaunch
C:\PROGRA~1\LAUNCH~1\LManager.exe
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to vircotto
lmanager.exe is a process associated with Acer Launch Manager from Dritek System Inc..
U Launchboard lnchbrd.exe "LaunchBoard software from Darwin turns your keyboard into a remote control for the Internet and your computer! With LaunchBoard 2.0, you can customize up to 38 keys on your PC keyboard to instantly launch Web Sites, start applications, perform custom macros, handle Windows shortcuts, store passwords, and perform loads of other customizable functions"
U LaunchApp Alaunch.exe Acer Launch tool utility on laptops
U LaunchAp LaunchAp.exe Part of Acer Launch Manager - programmable keys on such laptops as the TravelMate 610
Author: Dritek System Inc.
Part Of: Acer Launch Manager
LManager.exe file information
The process Acer Launch Manager Keyboard Application belongs to the software Acer Launch Manager by Dritek System Inc (www.dritek.com.tw).
Description: File LManager.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 495616 bytes (50% of all occurrence), 483328 bytes, 471040 bytes.
There is an icon for this program on the taskbar next to the clock. It is not a Windows system file. Therefore the technical security rating is 24% dangerous.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
vircotto
join:2002-06-04
Illinois
| reply to vircotto
NG,
Okay, you've confused me. (Really, not that hard to do!)
I'm pretty sure that LunchAPP.APlunch is the ActiveX control in question. I've found a site where on 11/19/06 Tan Chew Keong presented information:
»vuln.sg/acerlunchapp-en.html
He only tested on two Acer notebooks as that was all he had access to. He does provide some test code that launches calc.exe.
Also, I found this:
»nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6121 |
|
MarkAW
Barry White or lil bratt
Premium
join:2001-08-27
Canada
 ·Bell Sympatico
 ·Cogeco Cable
| reply to vircotto
said by vircotto  :There is a link to this article in Morning Broadband Bytes: » www.theinquirer.net/default.aspx···le=36773I know two or three people who have Acer laptops. Would it be safe for me to recommend that they delete that ActiveX control? And would that be accomplished by finding and deleting a file named "LunchApp.APlunch"? Thanks! According to the article it says " Those who have disabled ActiveX when they upgraded to IE7 can rest easy." So my question is have any of the people you know done this to their Acer laptops.
--
"Sometimes one pays most for the things one gets for nothing." - Albert Einstein (1879-1955)
|
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to vircotto
said by vircotto :NG, Okay, you've confused me. (Really, not that hard to do!) I'm pretty sure that LunchAPP.APlunch is the ActiveX control in question. I've found a site where on 11/19/06 Tan Chew Keong presented information: » vuln.sg/acerlunchapp-en.htmlHe only tested on two Acer notebooks as that was all he had access to. He does provide some test code that launches calc.exe. Also, I found this: » nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6121 Yup and I see all of the links out there about a lunchapp thingie all points to his info..or others who just linked to or copied his warning...BUT since I myself do not have one of those laptops..and since [LaunchApp] Alaunch is surely part of Acer stuff..I am trying to figure out myself if he just has a 'typo' in his write up..and he really mean Launch...or he did find a lunch and it is not even part of Acer stuff and might be a bad boy..so hope that someone who has an Acer laptop can really confirm it is lunch for the activeX..since to me that would be very strange.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| reply to Name Game
said by Name Game :My advice to anyone who buys a new PC or laptop especially some of those Dell's would be to wipe it clean, reformat the whole drive and then have a tech reinstall the OS.. Unfortunally some manufactorers/resellers do NOT provide you with clean install XP cdroms, but rather their OWN restore cdroms...or in some cases simply some bizarre "recovery feature" (like hidden image stored in unpartitioned hdd space) that can only be activated with some bizarre programX inside the computer. This sucks. Really.
All what I want from manufactorer is XP:s install cdrom and possibly the drivers disk (or simply mentions about what drivers are needed). Thats all I need. 
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
1 edit | reply to vircotto
Yup..I know Markus and that really sucks..
@Vircotto
I am still not convinced on all this myself..you see calc.exe has been exploited many times in the past..here are a few examples ..
W32/Bagle@MM , W32/HLL.cmp.406528 , Win32.Dumaru.A,
HLLC.HappyFlowers, W32.Walcomp
»www.symantec.com/security_respon···-4618-99
so i still wonder if Tan Chew Keong might just have found infected laptops..and there is a lunch thigie associated with it..and it's a new exploit.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to jansson_mark
said by jansson_mark :said by Name Game :My advice to anyone who buys a new PC or laptop especially some of those Dell's would be to wipe it clean, reformat the whole drive and then have a tech reinstall the OS.. Unfortunally some manufactorers/resellers do NOT provide you with clean install XP cdroms, but rather their OWN restore cdroms...or in some cases simply some bizarre "recovery feature" (like hidden image stored in unpartitioned hdd space) that can only be activated with some bizarre programX inside the computer. This sucks. Really. All what I want from manufactorer is XP:s install cdrom and possibly the drivers disk (or simply mentions about what drivers are needed). Thats all I need. Know what you mean. The restore info isnt so much on unpartioned space its on a hidden (only from windows) partion. Its visable on most through good old fdisk if not fdisk its visable from a linux boot or live cd. Been a while sense i used fdisk but i beleive it has a option in there some where to create a hidden partion. Or maybe you simply leave them as a inactive partion.
The so called restore cds are more often than not the program x you mention and all the restore data or at least most is on the partion.
The single biggest problem with such partions is even though windows do not see them some truely nasty little viris and trojans do and because these are almost never more than fat 32 partions no security rules effect the partion. Non admins have full read right delete access to said partion.
So basically you execute viri x as non admin limited user and nothing happens then one day you decide youve got to much crap on your comp and restore to factory default. Now this viri x gets installed during restore and your screwed.
Lucky for all of us these little nasties are few and far between. Ive seen 3 examples of them in something like 8 years of cleaning up infections.
As for the whole not including a xp/os disk that just pisses me off. Personally i dont care one way or the other. I can get xp pro full retail version for 150. The guy who i buy from will be selling the vista ultimate edition just as relitivly cheap when its released same for all other versions. When i bought my xp pro i paid 199 instead of 299 so i fully expect vista ultimate to be about 200 cheaper from him than any where else.
Want cheap and 100% legal copies of windows oses shop the mom and pop shops. Forget online sales forget big retailers go mom and pop shops. The way such shops see it if they can cut you a great deal on a computer or hardware or software youll bring them all your buissness. Then they can make more of your hard earned money even when something might be a little more expensive.
--
Evil does exist and it has a face to often that face is one that should look on their child with love in their eyes.
Instead only hate exists in those eyes. |
|
jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
2 edits | reply to vircotto
Getting back to the original topic for a moment, this does *NOT* appear to be a typo.
I have a fairly new Acer laptop myself (unfortunately, I don't have it here at home at the moment...but plan to check as soon as I can).
However, while I'm familiar with the harmless Acer Launch Manager utility, a google search brings up a fair amount of info concerning this "Lunch"App active-x control.
It's funny, even Google wants to correct me when I search specifically for this LunchApp.ocx to be sure I didn't mean "Launchapp.ocx".
»www.google.com/search?q=LunchApp···&oe=utf8
As you can see, there seems to be a lot of fuss about this "LUNCH" 
Or here's a search for LunchApp.APlunch
»www.google.com/search?q=LunchApp···&oe=utf8
Acer Laptop users can probably "search all files and Folders" for the actual LunchApp.ocx and see if it resides somewhere.....something I'll do when I can.
In the mean time, I think I'll read a little bit more about this. 
(Edit) Well,I see a lot of these links point back to "Tan Chew Keong's" findings, but I still think this thing exists and may be a problem for some.
--
I had a life once.....now I have a Computer and a Modem. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
1 edit | Yes..glad you came to the same conclusion. There is a Launch thingie called O4 - HKLM\..\Run: [LaunchApp] Alaunch
Many people have posted hijackthis logs who have ACER PORTABLE with this running..so this is a fact.
What appears to be not correct is the presence of any LunchApp.
So I suggest anyone that finds such an entry of LunchApp.APlunch ActiveX control that this could be an infection..I doubt is is part of Acer installed software..and the first thing I would do is post a highjackthis log from that machine at this link forum
»Security Cleanup
and let some experts take a look at it.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
Owlbet
Ignite the Ice
Premium,MVM
join:2002-09-24
Palmer, AK
clubs:
·MTA Online
| reply to Name Game
said by Name Game :My advice to anyone who buys a new PC or laptop especially some of those Dell's would be to wipe it clean, reformat the whole drive and then have a tech reinstall the OS..nowdays all those "manufactures" put so much junk on the machine you are really buying a can of spam and junk third party proggies..unstable machines..and not just the hardware. No user will ever be in full control of the machine until the do. said by jansson_mark :Unfortunally some manufactorers/resellers do NOT provide you with clean install XP cdroms, but rather their OWN restore cdroms...or in some cases simply some bizarre "recovery feature" (like hidden image stored in unpartitioned hdd space) that can only be activated with some bizarre programX inside the computer. This sucks. Really. All what I want from manufactorer is XP:s install cdrom and possibly the drivers disk (or simply mentions about what drivers are needed). Thats all I need. I learned long ago to order recovery CDs when purchasing computers from Dell. I've also purchased computers "off the shelf" from Wal*Mart.
HP (Hewlett Packard) is the worse for loading it's junk on the same CD as the operating system. I've had the misfortune of owning two HP OEM computers and both recovery CDs included Back Web, AOL Free Trial Offers, etc. This useless garbage is reinstalled when the operating system is reinstalled.
Dell, however, only includes the operating system on their Recovery CD and none of the Dell-branded junk. Drivers are on another CD. In September, I purchased another Dell computer and even before that computer ever connected to the internet, the hard drive was wiped clean and the operating system reloaded. No junk was reinstalled along with the operating system. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to vircotto
from
»www.securityfocus.com/brief/404
"..
Computer maker Acer has shipped its notebook computers with an ActiveX control that lets any Web site install software on the machine, security researchers warned this week.
The ActiveX control--named LunchApp.ocx--appears to be a way for the company to easily update customer laptops, but also allows others to do the same thing, antivirus firm F-Secure stated in a blog post on Tuesday. The security problem, first discovered in November by security researcher Tan Chew Keong, was confirmed by antivirus F-Secure.
.."
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 |
|
lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs: | Aye..it's on my Acer  |
|
tomazyk
join:2006-12-04
| reply to vircotto
I found this active-x control on my laptop. It's not on my IE7 list of used addons and active- x controls so I guess I don't need it. Just to be on a safe side I will rename the file, if acer would need that control it would probably ask me to download it. So no harm done. |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| reply to vircotto
Those with Acer computers might wish to check out this link to Heise Security:
»www.heise-security.co.uk/news/83426
"Many Acer laptops have a dangerous backdoor, which can be used by websites to gain complete control over the laptop. The problem lies with the LunchApp.APlunch Active X control, which is installed by default and which heise Security found on all the Acer laptops it tested, including a brand new TravelMate, which happened to be in the c't editorial suite for testing. Visiting a test website, which was easily set up, started the Windows calculator on this system without user interaction.
The control, with class ID D9998BD0-7957-11D2-8FED-00606730D3AA, is marked as safe for scripting by the manufacturer, so that any website can call it and control it using JavaScript. Using the Run method, it would be possible to launch any program on the system at will, and even pass parameters to programs it is launching. ..."
Apparently, it's possibly been on Acer laptops dating to 1998.
"Even an Acer rep admitted to heise Security that it looked as if it had simply been forgotten. Removing it does not cause any loss of performance on the system tested."
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to vircotto
Ok I owe you all a free lunch do you want that breaded or raw.ocx |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| said by Name Game :Ok I owe you all a free lunch do you want that breaded or raw.ocx Thanks, but I'll have to pass on mine... for some time, I've been on an ActiveX-free diet. 
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| That's a relief..would not want anyone to launch their lunch all over the thread..thanks again to all those who helped make DSLR security forum once again a place where you can sort out fact from friction.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
