IBM today released patches for eGatherer 2.0.0.16 and acpRunner 1.2.5.0. If these controls are left un-patched an attacker could "write malicious files anywhere on a computer"s hard disk via a special Web page".
Hackers could use two of IBM ActiveX controls designed for automated PC support to attack PCs through the Internet Explorer browser, according to security firm eEye Digital Security. The company found flaws in the eGatherer 2.0.0.16 and acpRunner 1.2.5.0 ActiveX controls that could allow attackers to write malicious files anywhere on a computer"s hard disk via a special Web page. The eGatherer script is installed by default on many IBM PCs.
Because the controls are signed by IBM, users who agree to "trust" IBM components could be compromised, eEye says in two recent advisories. The company published example exploits for both controls. Also last week, Linux vendors began patching several new, but less serious holes in the 2.6 and 2.4 kernels and in the Gentoo and Debian distributions.
Could Invite Spyware
The ActiveX controls are simply badly designed, making available unsafe methods of accessing a user"s PC, according to eEye. "ActiveX is a very profound Web technology. As a profound Web technology it may be abused," writes eEye in its advisory. "Designers might create an ActiveX which could perform any function on an user"s computer. The responsibility rests with the creator of the ActiveX, as in any trust model." IBM has released a fix for the problem on its website. Security tools such as eEye"s Retina Network Security Scanner are also capable of protecting PCs.