Critical flaws found in MySpace, Facebook ActiveX controls

Computerworld - Bugs in the ActiveX controls on popular social networking sites Facebook and MySpace can be used by hackers to snatch control of Windows PCs, security experts said today.

Initially made public by researcher Elazar Broad on the Full Disclosure security mailing list, the vulnerabilities are in a pair of ActiveX controls that Facebook and MySpace provide to users for uploading images to their pages via Microsoft's Internet Explorer (IE) browser. Both controls are based on a commercial ActiveX control dubbed Image Uploader from Aurigma Inc., a developer in Tacoma, Wash., according to follow-up analysis done by Symantec Corp.

The president of Aurigma's North American operations and one of the company's founders would not confirm or deny that Facebook and MySpace even licensed its Image Uploader ActiveX control. However, she did say that Aurigma is aware of the vulnerability reports and is addressing the problem.

"We have engineers working on this," said Jumapili Ikuseghan. "We've also notified our customers and we expect to have a fix for this in a few hours."

Symantec, which claimed that the ActiveX control used by Facebook and MySpace came from Aurigma, was able to confirm some of Broad's findings. "The affected ActiveX control originates from Aurigma. ... However, we haven't confirmed if the original Aurigma control is vulnerable or if both MySpace and Facebook have changed the control to suit their needs and introduced the flaw in the process," Symantec said in a warning to customers of its DeepSight threat network. "The control is automatically distributed to users who use Internet Explorer to upload files and images to either site."

An exploit of either control will crash IE, Symantec said, but more dangerous results could occur, too. "Remote code execution in the context of the affected application (typically Internet Explorer) may also be possible," said the company. The latter would, if successful, allow attackers to introduce additional code -- most likely malware of some kind that would hijack the PC or steal user information.

Symantec speculated that a probable attack would be based on a malicious Web site; the hacker would trick users into visiting that site, which would then call on the buggy ActiveX controls.

"Considering the massive user base for [Facebook and MySpace] and the potential widespread distribution of this vulnerable ActiveX control, we consider this a high-profile issue," Symantec concluded.

Last November, Broad reported a similar vulnerability in Image Uploader 4.x to Aurigma. The new flaws they're now investigating appear to be different from those of last year, admitted Ikuseghan.

"We take this very seriously," she said. The November bug was patched in the same short time frame, while the ActiveX control was updated to Version 5.0 in late December.

"We will deploy [the update] to our customers," said Ikuseghan. Those corporate or Web site customers would then have to update their users with the revised ActiveX control from their own servers, she added, by prompting them to download and install the new code the next time they tried to upload an image.