Facebook, MySpace hit by zero-day flaw

Image uploader flaw puts users at risk

Exploit code affecting an unpatched flaw in an image uploader used by both Facebook and MySpace is circulating publicly, putting users of the social networking sites at risk, according to security researchers.

On the Full Disclosure security mailing list, researcher Elazar Broad disclosed a vulnerability in the Aurigma Image Uploader, an application used by Facebook and MySpace. Exploitation of the bug could allow an attacker to execute malicious code on a user's system.

Code exploiting the flaw has been publicly released on the milw0rm.com website, making it only a matter of time before attacks are put into place, researchers said.

The vulnerability is due to a boundary error in the ActiveX control Aurigma.ImageUploader.4.1 when handling strings assigned to the "Action" property, according to security firm Secunia.

This can be exploited to cause a buffer overflow by assigning an overly long string to the affected property, Secunia said.

Secunia said it had verified the flaw in ImageUploader4.ocx version 4.5.70.0, and assigned it a "highly critical" rating. Other versions are also likely to be affected, Secunia said.

Since no patch is available yet, researchers advised users to set the kill-bit for the Aurigma ActiveX control.

Social networking sites have exploded in popularity in recent months and have become accepted as business tools in some quarters, leading to security concerns.

In December, WorkLight released a tool designed to allow companies to provide employees with access to Facebook while ensuring the social network is run from behind secure corporate firewalls.

Earlier in 2007 Sophos found that Facebook users are too gullible in giving up personal information, making them targets for identity theft.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
Use WhistleOut's technology to compare:
Mobile phone plans & deals
Mobile phone models
Mobile phone carriers
Broadband plans & deals
Broadband providers
Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?