Most new PCs aren't up-to-date on security patches when a buyer takes them out of the box, but at least fixes can be downloaded as soon as an Internet connection is established. (And that's exactly what you should do, particularly if you just bought a Windows computer.)
But Acer ships some of its computers with a vulnerable ActiveX control for which there is no apparent fix, according to F-Secure. If an Acer user were to visit a malicious Web site using Internet Explorer, an attacker could commandeer the system, the Finnish antivirus experts warned on their blog.
"It gets even better. Acer enabled 'safe for scripting' on that ActiveX library so you wouldn't even see when it's used," F-Secure wrote. The library, named LunchApp.ocx, is probably meant to help with browsing the vendor's Web site, it said.
The security issue appears to have been known since at least last November when a security researcher detailed it on a Web site.
An Acer representative did not immediately return a call seeking comment. It is unknown how many Acer computers contain the flawed ActiveX control, or whether Acer has a fix.