Critical ActiveX control flaw found in image uploader sent to users by Facebook, MySpace
Symantec has warned that a critical flaw in the ActiveX control of image uploaders that have been widely distributed to users of popular social networking sites Facebook and MySpace can be exploited by hackers to install malicious code on user's computers.
Symantec attached one of its highest “urgency” ratings to its warning Thursday that a new ActiveX vulnerability has been detected in image uploaders that automatically are given to Facebook and MySpace users. The flaw also has been found in the ActiveX control in the Aurigma Image Uploader, which may have been used as the basis for the Facebook and MySpace uploaders, Symantec said.
Symantec warned that an attacker exploiting the ActiveX vulnerability could inject malicious code into the PC of anyone who has installed an uploader containing the flaw on their PC, potentially enabling attackers to take control of the PC.
"They could use [the ActiveX vulnerability] to introduce any malicious code that is out there," Oliver Friedrich's, Symantec Security Response director, told SCMagazineUS.com
Friedrich's said that one likely attack scenario may involve hackers using phishing emails to lure MySpace and Facebook users to malware sites and then exploiting the ActiveX flaw in the uploader on the user's computer to gain control of the unit or steal the user's data.
According to the alert issued by Symantec, "when the ActiveX control is processed, the attacker's code will run with the privileges of the user."
Because the vulnerability resides in the ActiveX control's buffer overflow, it will crash the user's browser if an exploit attack is not successful, Friedrich said. Ironically, he noted, a browser crash -- while a temporary inconvenience to the user -- is actually protecting the user from the attack because it will prevent any infusion of malicious code.
Symantec detected the ActiveX control buffer-overflow vulnerability in Aurigma Image Uploader versions 4.5.50 and 4.6.70, but it was not found in version 4.6.17 of the unit, Symantec said. The security vendor recommended that users of the uploader set their web browser security to disable the execution of script code or active content.
Image uploaders automatically are distributed on Facebook and MySpace to users who upload files and images to the sites using Microsoft's Internet Explorer (IE).
A series of ActiveX vulnerabilities have been discovered during the past year. ActiveX flaws were detected in a webcam uploader used on Yahoo! Messenger, and a bug in the control was found in Microsoft Office.