Security researchers have raised an alert for serious security problems with the MySpace and Facebook image upload feature.
According to a warning from Symantec’s DeepSight threat analyst team, the issue centers around a buffer overflow in the ‘Action’ property of multiple ActiveX controls that’s used in the image upload process for the two popular social networks.
The ActiveX controls are designed and distributed by Aurigma Imaging Technology.
The vulnerability, publicly disclosed by hacker Elazar Broad on the Full Disclosure mailing list, could allow attackers to use booby-trapped Web pages to compromise Windows machines.
Exploit code that provides a roadmap to launch remote code-execution attacks has been published at Milw0rm.com.
Symantec DeepSight researcher Patrick Jungles said his team has confirmed the reliability of the exploit.
“We also expect to see exploits for the Facebook issue in the next few days, given the popularity of the social-networking community,” Jungles added.
“Since exploits are starting to come out for these issues, users are advised to use caution when browsing the Web,” he added.
In the absence of a fix, Windows/Internet explorer users should immediately disable these CLSIDs:
“* MySpace: {48DD0448-9209-4F81-9F6D-D83562940134}* Facebook: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}* Aurigma: {6E5E167B-1566-4316-B27F-0DDAB3484CF7}“
See this Microsoft document for instructions on disabling ActiveX components.