Critical flaws found in MySpace, Facebook ActiveX controls

ActiveX developer promises a speedy fix

Bugs in the ActiveX controls on popular social networking sites Facebook and MySpace can be used by hackers to snatch control of Windows PCs, security experts said Thursday.

Initially made public by researcher Elazar Broad on the Full Disclosure security mailing list, the vulnerabilities are in a pair of ActiveX controls that Facebook and MySpace provide to users for uploading images to their pages via Microsoft's Internet Explorer (IE) browser. Both controls are based on a commercial ActiveX control dubbed Image Uploader from Aurigma, a developer, according to follow-up analysis done by Symantec.

The president of Aurigma's North American operations and one of the company's founders would not confirm or deny that Facebook and MySpace even licensed its Image Uploader ActiveX control. However, she did say that Aurigma is aware of the vulnerability reports and is addressing the problem.

"We have engineers working on this," said Jumapili Ikuseghan. "We've also notified our customers and we expect to have a fix for this in a few hours."

Symantec, which claimed that the ActiveX control used by Facebook and MySpace came from Aurigma, was able to confirm some of Broad's findings. "The affected ActiveX control originates from Aurigma. ... However, we haven't confirmed if the original Aurigma control is vulnerable or if both MySpace and Facebook have changed the control to suit their needs and introduced the flaw in the process," Symantec said in a warning to customers of its DeepSight threat network. "The control is automatically distributed to users who use Internet Explorer to upload files and images to either site."

An exploit of either control will crash IE, Symantec said, but more dangerous results could occur, too. "Remote code execution in the context of the affected application (typically Internet Explorer) may also be possible," said the company. The latter would, if successful, allow attackers to introduce additional code -- most likely malware of some kind that would hijack the PC or steal user information.

Symantec speculated that a probable attack would be based on a malicious Web site; the hacker would trick users into visiting that site, which would then call on the buggy ActiveX controls.

"Considering the massive user base for [Facebook and MySpace] and the potential widespread distribution of this vulnerable ActiveX control, we consider this a high-profile issue," Symantec concluded.

Last November, Broad reported a similar vulnerability in Image Uploader 4.x to Aurigma. The new flaws they're now investigating appear to be different from those of last year, admitted Ikuseghan.

"We take this very seriously," she said. The November bug was patched in the same short time frame, while the ActiveX control was updated to Version 5.0 in late December.

"We will deploy [the update] to our customers," said Ikuseghan. Those corporate or Web site customers would then have to update their users with the revised ActiveX control from their own servers, she added, by prompting them to download and install the new code the next time they tried to upload an image.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?