Flaws Found In ActiveX Controls Used By Facebook, MySpace

US-CERT also issued similar warnings for Yahoo's MediaGrid ActiveX control and the Datagrid ActiveX control.
US-CERT, part of the Department of Homeland Security, on Monday warned of the existence of an unpatched vulnerability in Aurigma's ImageUploader, image uploading software, which is used by both MySpace and Facebook.

"By convincing a user to view a specially crafted HTML document (e.g., a Web page or an HTML e-mail message or attachment), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user on a vulnerable system," explains US-CERT.

The cybersecurity organization on Tuesday issued a similar warning for the Yahoo MediaGrid ActiveX control and the Datagrid ActiveX control.

Six distinct buffer overflow vulnerabilities that affect several popular ActiveX controls have been reported in the past week, according to Symantec. The affected software includes Aurigma Imaging Technology ImageUploader4 and ImageUploader5, Yahoo MediaGrid and DataGrid ActiveX controls, and Facebook Photo Uploader 4 ActiveX Control.

A flaw in MySpace.Uploader.4.1 ActiveX control was reported by Secunia on January 31 and an upgraded version of the software is available.

Symantec said it was not aware of any public exploitation of these vulnerabilities. Proof of concept exploit code is available, however.

US-CERT encourages computer users to disable ActiveX controls to help make Internet browsing more secure.

Trend Micro security researcher Jake Soriano said in a blog post that the vulnerabilities demonstrate that the growing popularity of social networks brings with it more risk.

Last week, Aurigma encouraged users to upgrade to version 5.0 because it wasn't vulnerable. However, Symantec maintains that ImageUploader5 is vulnerable.

Editor's Choice
Cynthia Harvey, Freelance Journalist, InformationWeek
John Edwards, Technology Journalist & Author
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing