Critical vulnerability found in Ask.com toolbar
- 26 September, 2007 10:06
A vulnerability in Ask.com's toolbar for Internet Explorer could allow an attacker to take control of a person's computer, according to security advisories.
The problem concerns a buffer overflow flaw in the toolbar and involves an ActiveX control, according to an advisory posted by security vendor Secunia APS, which rated the problem as "highly critical," its second most severe rating. It affects version 4.0.2 of the toolbar and possibly others.
Proof-of-concept exploit code for the vulnerability has been publicly posted on other disclosure forums, with a person named "Joey Mengele" credited with finding the flaw. Ask.com officials contacted in London were not immediately able to comment.
The Ask.com toolbar sits below the address bar and can perform a variety of category-specific searches, such as weather information, stock quotes or search a person's desktop as well as regular Web searching.
As of this week, WabiSabi Labi, a Swiss company that specializes in selling vulnerability information, was still auctioning the Ask.com toolbar problem for minimum of Euro 500 (US$705), although no bids were listed.
WabiSabi Labi's auctioning of security vulnerabilities has caused a stir among security analysts who believe software companies should be discreetly notified of vulnerabilities and allowed to patch the software so as to not put users in danger. The company maintains security researchers should be rewarded for their work.