When Richard Smith bought a new Compaq Presario last Friday, he suspected there might be a few holes in the security of the computer's Internet software.
Sure enough. Within ten minutes of booting up the PC, Smith had flushed out the software equivalent of an assassin for hire.
"I think this is one of the worst problems I've ever seen," said Smith, who has made a side-career during the last year of sniffing out major software holes.
Compaq had granted its Internet software potent capabilities. A clever Web page or email message could put out an electronic hit on an unwitting Presario owner using a software demon that comes in the guise of an applet.
The applet, called "SpawnApp," was installed by Compaq on its Presario line of PCs as part of its customer service applications.
While Compaq intended to streamline customer support over the Net using handy Web tools -- Internet Explorer 4 and Java applications -- the company unwittingly put its customers at risk.
"All you need is a little bit of JavaScript to misuse the control. They've left it wide open, so you can run anything. You can give a delete command that deletes everything in the [Windows] My Documents directory."
"Anybody can use it because [Compaq's] told the world it's a safe thing."
SpawnApp is a bridge, launching any DOS or Windows application. With simple coding, a rogue programmer could access the Java applet from the Net to launch any application on the computer. Programmers could use the applet to mess up some data -- perhaps nab some files and email messages, or change the PC's security settings for further breaches.
The problem is apparently the tip of an iceberg that may plague more PCs than even manufacturers know. These ghosts in the software machine only get noticed when people like Smith do some digging. Companies often don't respond in force to alarms until the media spreads the word.
Smith said he wasn't the first to arrive on the scene of the dangerous applet. Another programmer, Frank Farance, originally discovered the applet in November 1998, and yet the problem remained.
Smith turned up a similar vulnerability on Hewlett-Packard's Pavilion line of PCs only a week earlier. HP moved quickly and provided a fix; Compaq is considering doing the same.
With or without fixes, Smith sees the trend as a dangerous one.
"If you take HP and Compaq together, they're in the top three or four manufacturers in the United States. They've both been shipping machines for a year which have pretty big openings ... So you've got some pretty big players messing up here."
Compaq "signed" its applet, which is a standard security function meant to indicate the program's tasks were designed by the company and therefore safe to execute. But because further steps weren't taken, anyone could misuse the potentially dangerous set of functions, Smith said.
