Computer maker Acer has shipped its notebook computers with an ActiveX control that lets any Web site install software on the machine, security researchers warned this week.

The ActiveX control--named LunchApp.ocx--appears to be a way for the company to easily update customer laptops, but also allows others to do the same thing, antivirus firm F-Secure stated in a blog post on Tuesday. The security problem, first discovered in November by security researcher Tan Chew Keong, was confirmed by antivirus F-Secure.

"The library, named LunchApp.ocx, is probably supposed to help with browsing the vendor's website, enable easy updates and such," wrote F-Secure's research team. "It turns out it also makes all those machines vulnerable to a specially crafted HTML file that could instantly download malicious file(s) onto the user's machine and then execute them."

The Acer vulnerability is not the first time that a company has shipped flawed software that threatened customers' security. In December, music giant Sony BMG settled lawsuits filed by Texas and California that sought consumer remedies after the company distributed audio CDs with copy protection software that undermined the security of computers on which the program was installed. ActiveX controls--a framework for creating software components to add interactivity to Web sites as well as add functionality to the operating system--have frequently been at the heart of security problems for Microsoft.

Acer did not immediately respond to a request for comment. It's unknown if the company has taken steps to fix the problem.

securityfocus.com