IBM acpRunner Access Support ActiveX control contains a flaw that may allow a remote attacker to place arbitrary files. The issue is triggered due to insecure methods ("DownLoadURL", "SaveFilePath", and "Download"), which may allow a malicious web site to place a file in an arbitrary location on a user's system resulting in a loss of integrity.

Currently, there are no known workarounds or upgrades to correct this issue. However, IBM has released a patch to address this vulnerability.

• Secunia Advisory ID: 11072
• ISS X-Force ID: 16429
• CVE ID: 2004-0586 (see also: NVD)
• Other Advisory URL: http://research.eeye.com/html/advisories/published/AD20040615A.html
  http://www.eeye.com/html/research/advisories/AD20040615A.html [ Link is 404 ]
• Vendor Specific Solution URL: http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-54588
• News Article: http://www.computerweekly.com/articles/article.asp?liArticleID=131444
• Vendor URL: http://www.ibm.com/us/

• [email protected] - Unaffiliated
• Drew Copley - eEye Digital Security