9. January 2007 03:55
This just beggars belief. Acer appears to have sold computers with a pre-installed ActiveX control that allows any web site to run any executable on your machine with any command line arguments.
Now, I'm no security expert. But working for an internet bank you do pick a few things up. Probably by osmosis. So, I'm going to take a gamble here and state that I think this is a Really Bad Thing.
If this had been Joe Random Programmer posting some example code on his blog, then I could forgive them. A sternly worded comment could point out the error of their ways.
But a corporation has no excuse. Someone must have requested this feature, someone must have specced it, someone built it and someone tested it. And none of them noticed the glaringly large security hole?
And Slashdot ran this story on the same day they ran a story entitled "What Makes Software Development So Hard?". With news like this Acer thing, I reckon we need to make Software Development harder, and get a bit of old Darwinian magic in to fix this...