Attackers have begun to exploit critical flaws in the ActiveX control of the Yahoo! Music Jukebox which permits them to inject malicious code into a user’s computer, Symantec reported Tuesday.
Symantec honeypots began picking up exploits in the wild of a vulnerability in the AddImage function of the Music Jukebox control’s remote buffer overflow a day after warnings of critical flaws in the ActiveX control were issued, according to a posting on Symantec’s Security Response blog.
Yahoo!, meanwhile, announced that it is phasing out Yahoo! Music Unlimited, which was distributing the flawed media player, and switching customers to RealNetwork’s Rhapsody service. Yahoo! announced on Monday a strategic partnership with Rhapsody which will make it the exclusive on-demand music service for Yahoo!
Symantec’s posting said that, thus far, only one of several vulnerabilities detected in the ActiveX control for the Music Jukebox has been exploited in the wild, but it expects the other flaws in the control to draw attackers soon.
“So far the exploits that we have seen in the wild have been carbon copies of the public exploit. I suspect that it won’t take long before the exploit is wrapped in an encoder in an attempt to make detection more difficult,” Symantec researcher Sean Hittel said in the blog posting.
Vulnerabilities in ActiveX controls for the Yahoo! player make the controls susceptible to buffer overflow attacks that enable attackers to inject malicious code into a user’s computer or even take control of the PC. Warnings of the vulnerabilities – deemed “highly critical” by researchers – were issued just a few days after similar critical flaws were found in ActiveX controls for image uploaders that have been widely distributed to MySpace and Facebook users.
FrSIRT, the French security response team, reported Monday that buffer overflow errors in the datagrid.dll and mediagrid.dll ActiveX control of the Music Jukebox cause the control “when processing overly long arguments” to pass these issues to AddImage, AddButton or AddBitmap functions that can then be exploited by remote attackers to executive arbitrary code by tricking a user into visiting a malware site.
The French response team also warned that the ActiveX flaws in the Music Jukebox could generate a denial of service.
Symantec last week attached one of its highest “urgency” ratings to its warning that an ActiveX vulnerability was detected in image uploaders that automatically are given to Facebook and MySpace users. The flaw also has been found in the ActiveX control in the Aurigma Image Uploader, which may have been used as the basis for the Facebook and MySpace uploaders, Symantec said.
A public relations firm sent SCMagazineUS.com on Monday what it said was a “joint statement” from MySpace and Facebook indicating that the two popular social networking sites, working with Aurigma, had identified a solution to the ActiveX flaw in the uploaders and had “collaborated to resolve the issue.”
Symantec warned last Thursday that an attacker exploiting the ActiveX vulnerability could inject malicious code into the PC of anyone who has installed an uploader containing the flaw on their computer, potentially enabling attackers to take control of the PC.
“They could use [the ActiveX vulnerability] to introduce any malicious code that is out there,” Oliver Friedrich, Symantec Security Response director, told SCMagazineUS.com
Friedrich’s said that one likely attack scenario may involve hackers using phishing emails to lure MySpace and Facebook users to malware sites and then exploiting the ActiveX flaw in the uploader on the user’s computer to gain control of the unit or steal the user’s data.
According to the alert issued by Symantec, “when the ActiveX control is processed, the attacker’s code will run with the privileges of the user.”
Friedrich said that because the vulnerability resides in the ActiveX control’s buffer overflow, it will crash the user’s browser if an exploit attack is not successful. Ironically, he noted, a browser crash — while a temporary inconvenience to the user — is actually protecting the user from the attack because it will prevent any infusion of malicious code.
Symantec detected the ActiveX control buffer-overflow vulnerability in Aurigma Image Uploader versions 4.5.50 and 4.6.70, but it was not found in version 4.6.17 of the unit, Symantec said. The security vendor recommended that users of the uploader set their web browser security to disable the execution of script code or active content.
Image uploaders automatically are distributed on Facebook and MySpace to users who upload files and images to the sites using Microsoft’s Internet Explorer.
A series of ActiveX vulnerabilities have been discovered during the past year. ActiveX flaws were detected in a webcam uploader used on Yahoo! Messenger, and a bug in the control was found in Microsoft Office.