Critical flaw in image uploader used by Facebook, MySpace

Share this article:

Symantec has warned that a critical flaw in the ActiveX control of image uploaders that have been widely distributed to users of popular social networking sites Facebook and MySpace can be exploited by hackers to install malicious code on user's computers.

Symantec attached one of its highest “urgency” ratings to its warning Thursday that a new ActiveX vulnerability has been detected in image uploaders that automatically are given to Facebook and MySpace users. The flaw also has been found in the ActiveX control in the Aurigma Image Uploader, which may have been used as the basis for the Facebook and MySpace uploaders, Symantec said.

Symantec warned that an attacker exploiting the ActiveX vulnerability could inject malicious code into the PC of anyone who has installed an uploader containing the flaw on their computer, potentially enabling attackers to take control of the PC.

"They could use [the ActiveX vulnerability] to introduce any malicious code that is out there," Oliver Friedrich's, Symantec Security Response director, told SCMagazineUS.com

Friedrich's said that one likely attack scenario may involve hackers using phishing emails to lure MySpace and Facebook users to malware sites and then exploiting the ActiveX flaw in the uploader on the user's computer to gain control of the unit or steal the user's data.

According to the alert issued by Symantec, "when the ActiveX control is processed, the attacker's code will run with the privileges of the user."

Because the vulnerability resides in the ActiveX control's buffer overflow, it will crash the user's browser if an exploit attack is not successful, Friedrich said. Ironically, he noted, a browser crash -- while a temporary inconvenience to the user -- is actually protecting the user from the attack because it will prevent any infusion of malicious code.

Symantec detected the ActiveX control buffer-overflow vulnerability in Aurigma Image Uploader versions 4.5.50 and 4.6.70, but it was not found in version 4.6.17 of the unit, Symantec said. The security vendor recommended that users of the uploader set their web browser security to disable the execution of script code or active content. 

Image uploaders automatically are distributed on Facebook and MySpace to users who upload files and images to the sites using Microsoft's Internet Explorer (IE).

A series of ActiveX vulnerabilities have been discovered during the past year. ActiveX flaws were detected in a webcam uploader used on Yahoo! Messenger, and a bug in the control was found in Microsoft Office.

 

 

Share this article:

Sign up to our newsletters

More in News

Hackers target video game companies to lift copy protections and develop cheats

A threat group is targeting video game companies in order to lift DRM protections, develop cheats and possibly to steal source code.

Android malware spreads via mail tracking SMS spam

The mobile malware is currently targeting German users, McAfee revealed.

About 2,800 victims of worldwide info-stealing campaign targeting various sectors

About 2,800 victims of worldwide info-stealing campaign targeting ...

Unknown attackers have claimed about 2,800 victims in an ongoing information-stealing campaign identified by Kaspersky Lab as "Crouching Yeti."