ActiveX control of Image Uploaders of MySpace, Facebook Critically Flawed
A critical vulnerability in the ActiveX control component of image uploaders is highly exploitable so hackers might install malware on potential victims' computers, warns security company Symantec. Image uploaders are widely circulated among users of MySpace and Facebook, the popular social networking sites.
Symantec said that the flaw is also present in the ActiveX control of the Aurigma Image Uploader, a component possibly used to perform the groundwork for the MySpace and Facebook uploaders. SCMagazineUS published this in news on February 1, 2008.
According to Symantec's warning, a hacker exploiting vulnerability in the ActiveX control could inject harmful software into a computer installed with a flawed and un-patched uploader, potentially enabling the attacker to gain control over the computer.
Symantec's Security Response Director Oliver Friedrich said that attackers could exploit the ActiveX flaw to insert any kind of malicious code available, according to news reported by SCMagazineUS on February 1, 2008.
According to Friedrich, in one probable attack, hackers could deliver phishing e-mails to users of Facebook and MySpace to lure them into visiting malicious sites to subsequently exploit the Uploader's ActiveX flaw on the victim's PC to take over the system or steal sensitive data from it.
Researchers said that the code, which exploits the vulnerability, has been exposed to the public by posting it on the milworm.com website, and that it might be soon started to use in attacks. PCWorld published this in news on February 1, 2008.
The security company Secunia too assessed the loophole in ImageUploader4.ocx version 18.104.22.168, and rated it as "highly critical". It said that the flaw possibly affects other versions as well. PCWorld published this on February 1, 2008.
Earlier in November 2007, the Full Disclosure security mailing list called Elazar Broad reported that a similar flaw existed in Image Uploader 4.x of Aurigma. President of Aurigma North American operations, Jumapili Ikuseghan, said that the new holes being investigated do not appear to be same as those of 2007. ComputerWorld published this in news on January 31, 2008.
Since a patch is yet to be designed, researchers recommend users to enable the kill-bit setup for the Aurigma ActiveX control.
Related article: ActiveX Bug Surfaces in RealPlayer Media Player
» SPAMfighter News - 12-02-2008