Critical flaws found in MySpace, Facebook ActiveX controls
ActiveX developer promises a speedy fix
Initially made public by researcher Elazar Broad on the Full Disclosure security mailing list, the vulnerabilities are in a pair of ActiveX controls that Facebook and MySpace provide to users for uploading images to their pages via Microsoft's Internet Explorer (IE) browser. Both controls are based on a commercial ActiveX control dubbed Image Uploader from Aurigma Inc., a developer in Tacoma, Wash., according to follow-up analysis done by Symantec Corp.
The president of Aurigma's North American operations and one of the company's founders would not confirm or deny that Facebook and MySpace even licensed its Image Uploader ActiveX control. However, she did say that Aurigma is aware of the vulnerability reports and is addressing the problem.
"We have engineers working on this," said Jumapili Ikuseghan. "We've also notified our customers and we expect to have a fix for this in a few hours."
Symantec, which claimed that the ActiveX control used by Facebook and MySpace came from Aurigma, was able to confirm some of Broad's findings. "The affected ActiveX control originates from Aurigma. ... However, we haven't confirmed if the original Aurigma control is vulnerable or if both MySpace and Facebook have changed the control to suit their needs and introduced the flaw in the process," Symantec said in a warning to customers of its DeepSight threat network. "The control is automatically distributed to users who use Internet Explorer to upload files and images to either site."
An exploit of either control will crash IE, Symantec said, but more dangerous results could occur, too. "Remote code execution in the context of the affected application (typically Internet Explorer) may also be possible," said the company. The latter would, if successful, allow attackers to introduce additional code -- most likely malware of some kind that would hijack the PC or steal user information.
Symantec speculated that a probable attack would be based on a malicious Web site; the hacker would trick users into visiting that site, which would then call on the buggy ActiveX controls.
"Considering the massive user base for [Facebook and MySpace] and the potential widespread distribution of this vulnerable ActiveX control, we consider this a high-profile issue," Symantec concluded.
Last November, Broad reported a similar vulnerability in Image Uploader 4.x to Aurigma. The new flaws they're now investigating appear to be different from those of last year, admitted Ikuseghan.
"We take this very seriously," she said. The November bug was patched in the same short time frame, while the ActiveX control was updated to Version 5.0 in late December.
"We will deploy [the update] to our customers," said Ikuseghan. Those corporate or Web site customers would then have to update their users with the revised ActiveX control from their own servers, she added, by prompting them to download and install the new code the next time they tried to upload an image.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts