Critical flaws found in MySpace, Facebook ActiveX controls

ActiveX developer promises a speedy fix

Bugs in the ActiveX controls on popular social networking sites Facebook and MySpace can be used by hackers to snatch control of Windows PCs, security experts said Thursday.

Initially made public by researcher Elazar Broad on the Full Disclosure security mailing list, the vulnerabilities are in a pair of ActiveX controls that Facebook and MySpace provide to users for uploading images to their pages via Microsoft's Internet Explorer (IE) browser. Both controls are based on a commercial ActiveX control dubbed Image Uploader from Aurigma, a developer, according to follow-up analysis done by Symantec.

The president of Aurigma's North American operations and one of the company's founders would not confirm or deny that Facebook and MySpace even licensed its Image Uploader ActiveX control. However, she did say that Aurigma is aware of the vulnerability reports and is addressing the problem.

"We have engineers working on this," said Jumapili Ikuseghan. "We've also notified our customers and we expect to have a fix for this in a few hours."

Symantec, which claimed that the ActiveX control used by Facebook and MySpace came from Aurigma, was able to confirm some of Broad's findings. "The affected ActiveX control originates from Aurigma. ... However, we haven't confirmed if the original Aurigma control is vulnerable or if both MySpace and Facebook have changed the control to suit their needs and introduced the flaw in the process," Symantec said in a warning to customers of its DeepSight threat network. "The control is automatically distributed to users who use Internet Explorer to upload files and images to either site."

An exploit of either control will crash IE, Symantec said, but more dangerous results could occur, too. "Remote code execution in the context of the affected application (typically Internet Explorer) may also be possible," said the company. The latter would, if successful, allow attackers to introduce additional code -- most likely malware of some kind that would hijack the PC or steal user information.

Symantec speculated that a probable attack would be based on a malicious Web site; the hacker would trick users into visiting that site, which would then call on the buggy ActiveX controls.

"Considering the massive user base for [Facebook and MySpace] and the potential widespread distribution of this vulnerable ActiveX control, we consider this a high-profile issue," Symantec concluded.

Last November, Broad reported a similar vulnerability in Image Uploader 4.x to Aurigma. The new flaws they're now investigating appear to be different from those of last year, admitted Ikuseghan.

"We take this very seriously," she said. The November bug was patched in the same short time frame, while the ActiveX control was updated to Version 5.0 in late December.

"We will deploy [the update] to our customers," said Ikuseghan. Those corporate or Web site customers would then have to update their users with the revised ActiveX control from their own servers, she added, by prompting them to download and install the new code the next time they tried to upload an image.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?