Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


ActiveX Under Seige: Facebook, MySpace Image Uploaders Vulnerable



 By: Ryan Naraine
2008-02-04
Article Rating:starstarstarstarstar / 32


There are 5 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Web surfers are urged to immediately disable ActiveX controls from IE to protect against a swath of publicly reportedand unpatchedsoftware vulnerabilities.

The US-CERT is urging Web surfers to immediately disable ActiveX controls from Internet Explorer to protect against a swath of publicly reportedand unpatchedsoftware vulnerabilities.

The US-CERT (Computer Emergency Response Team) recommendation follows the release of exploit code for multiple zero-day flaws in image uploaders used by Facebook and MySpace and bugs in the ActiveX control that ships with the Yahoo Music Jukebox software.

The exploits, posted to the Milw0rm.com Web site, provides a roadmap for full remote code execution attacks on Windows computers.

Resource Library:
ActiveX controls, commonly used in Windows Web applications for animation displays or to enhance UI functions to include items such as spreadsheets and toolbars, but the technology has been plagued by critical vulnerabilities and implementation issues.

According to Will Dormann, a security researcher who has been beating the ActiveX security drum repeatedly over the last few years, the use of ActiveX in a Web browser greatly increases the attack surface, or "attackability," of a system.

Because vulnerabilities ActiveX objects may be exploited via Internet Explorer, even if the object was never designed to be used in a Web browser, security researchers say it is a prime target for drive-by malware downloads.

Attacks Inevitable

According to Erik Kamerling, a vulnerability analyst at Symantec's DeepSight threat center, the availability of exploits for flaws in high-profile targets like Facebook and MySpace is cause for concern.
 
Although Symantec is unaware of in-the-wild exploitation of the ActiveX flaws, there's a feeling that attacks are inevitable.

"[We have] confirmed that these issues can be used to execute code or crash the vulnerable applications. Judging by the wide distribution of these controls, we assume that these issues will be used by attackers and we are monitoring for such developments," Kamerling said in a warning to DeepSight members.

In all, Kamerling said there are three new vulnerabilities in widely deployed ActiveX controls as well as one exploit for a related, recently disclosed issue.  

"Two of the issues affect the Aurigma and Facebook ImageUploader library. Although very similar to the recent Facebook, Myspace, and Aurigma image-upload issues disclosed on January 31, 2008, these new ImageUploader issues are distinct and affect different properties. The remaining two vulnerabilities affect Yahoo! Jukebox Mediagrid and DataGrid ActiveX controls," he added.

"In tandem with the public release of this information, remote code-execution exploits targeting the Aurigma, Facebook, and Yahoo! issues were released. Each issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer)," Kamerling said.

In the absence of patches, Symantec recommends that IE users take "extreme caution" when browsing the Web and ensure that the browser is configured with the highest security settings.
 
The US-CERT goes a step further, recommending that IE users completely disable ActiveX scripting in the browser.

 





  Reader Comments: ActiveX Under Seige: Facebook, MySpace Image Uploaders Vulnerable
>>> Post your comment now!
UploadEase
UploadEase is a Java file/image uploader applet that runs across all major browsers and provides powerful thumbnail/constrained image generation...
Posted At: 05-24-09
By: George
Excellent Article
Very useful information!
Posted At: 02-12-08
By: Anonymous
Why did it take so long?
I'm surprised it has taken this long for people to wake up to this problem. And still the major media has refused to make any mention of it. A few...
Posted At: 02-10-08
By: Al
KILL ActiveX #2
I forgot to add some advice to people who have already designed and developed web software using ActiveX controls. Rip it up! Re-design it without...
Posted At: 02-09-08
By: Ben Myers
KILL ActiveX !!!!
Microsoft's ill-conceived ActiveX has proven to be the hole through which all manner of varmints can sneak into a computer. The Facebook and MySpace...
Posted At: 02-09-08
By: Ben Myers
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 



xmw⸲(y I>15IC/H$d3>klmoچsY=0q*sfyݙ_z煊Esv#>GA fm)-Ǒ4P\tI\v? 9NHw&LT-JR,NLAa|Olq5 uz P%Je_T Z, 80yE4b™EQ ,GQ%?[ڗu&u}Y6f0R*CA-tV?#;SjqsҺy\7=rҽ&qٙN0psZL`CvO^EXCyCm0Mϑj#3?_ć>wIN,-Yw53Q[h,/s$bqrZ~@X ,>J~ͼ94g ߦA@w[@+UykA 4}G_x0FD57cfMs,eg0AM)41tGv!fBP,.|Y* bԸrݠ@P3SB!ތ!E\r'eF"ȅQ.% Ć>x%K%bO<ದypttwެ.Uմޙ.~iKouqnH{⧋vRÜOCͶcOGs>hH2胆6md-ƙk$ ,70}HOaI44ح-= J!pA=xS9uL@#iwM۠h&r\kImǃ.7?6 ; K`p&;xk =`DVt#` Vz< 2/?6a|xuܣP}L{0`sokwiiCq1)3jJdN˕ ] #RR,HH|t"AђF (4 gs#X"C"'GAw'w$]Kq+\fD0˛nOu$;cgڹLX.%QY,p[/1͙JdYU Q=B`&Qea*0pRx5Q7mRTˑl@P5 bd]D{ZmAS3"4n‚_8R"X @\À<׆BOZq bP*B8ᦼt߂b5XQ =]{e|h322y@{BR֊Z5"jEQÒRVqWt~GNfT$h/Op8g~~L4,|. ~}v݂/r=2;|d ,l |?0ة"ylzėaEzӕ ~>V:6ʼnG =q?@TEe¹5`Qеa⢉!h{ӟ4)^ƙl)Wj*ݝ'(~-h;͹ﴨw,3YD]R\YCʜQzCn3~Z`zž+~WּӪ`f/mC[$ zDÈ {qĆZ jYMV>go|레6R1%[ c􁯌C-s# dK3sKZPn3`ez(\f}u5}NyT."cr(= #;"#N{bRFds~7p, JH-G i3Fɾ33uO&קQX[{R€ޫ1Ze Ro(SY-q'&F.҄^SwfbvlvLTSdX*aƭRZ/\f5??u}ӟ:X)C+ͦ'0R TPԀO>ƮfPHrX#j{~RTX]\ZKMXJS/YTAteUT#km`WPF4`W&sS m.E<9[E 1ķʨTIeSW,.wD<5Ϩx3}Nb 4PG tmf q4;f̭GXd;βڸiD@kXJ3dVVTXI05I-֊R{ =2`ӂU}/*\&Iv⿿f辶Fozk|GDo0|h^%u͇R%*m\ܑN\8zARR=YrrZR`7ɠK< J;!O}+4CZ6wOXMyxKOWƒ"'!Z+73,qvëV15/ȟ-1݋{V}{"}QL Xpفkßyc(mǥLGϢc燛Nv@*ۦ>^E2`^=W^^ab>$gY? 0ʳ/5.aš_e)X|8~lIij Fya8dB*{PvB, oIŨڐ}dvjZS隿ð OA區usѼ>\/~wϻ!9\x#xx\MC{RszyңU4*$yy|hqLZ&Iy)t}42l)q^לY0z!B3ZUe1z EEShL~;+^+,k 5̀oÃXP8,׀zB*ΛI%D( `E/)(+RJ "4FI'z\G>gqəO/PIS):}Ur:_Aעo)IJ}J_cN߯Ͳi<"m=8,rhT;D{dNdp jwz`ySr>$/%/p]Zil} zs@&aP;DZ3pu*hhw)~ڰO?W%{ݝ&h푎Ʌp ~'awʜW#aZ ?Y .'{v6g>&k?7Oq;f=7G蹳)= }-;oC'w4dkwX7f8#M[^:ݷza's ]7+۝dNia[nǡ8 0zNt,4P$yEQjʶ-W $]Bn'<4L|dM#}ݾJf8k^h̠t4u꾫} {!.uo06.xy<7?iWeҰwߵ= =z» .+-R!EkE7_cU TFE:'%:mBݽ]޿wV!bi8V3[TftϵsD:>dOC@/-vci2Cؖrn"LpXġ`G ܍)³$`D@3=g˩g6A jm JN XW+Oiƿ_L•&qFL>9b1KS ϓ Zm,Jt f s/"& uM֗Z! wx8MymXI겎Iq Cx;~أwZls}TfgQA7YɊw9SbjKZ*dN+voW]$‹+sjBe[PV(upHZQ)G٠/ *%#B|'F,%"G猎y_P#)cgd͢?03{cD&];qa(V Ыથp5rx nܛ7ގϞ|#&K>%J=jv])+%m%xgF@]DI3DM<'MWx~RhJ'Ns+] BG1{9)rp͞OƳA,_*zJU*Tftލb1/o4{ҙ6~6 gH˽B8o ٔ! apH'yܷ÷Um()S|qi>';`팽9tܔXNχolpa%:n#-PƘ66~m/kYWpw i! C;3x%z )ɂ_lrf66(l(Iݔ#k/]E3DC=J'`Qz 뺆*>3)1#a#;gDc5%Pso u e@\!n `}+Lt㸷x@Z:-,>/lcApkm(̟׶UU[v&?`>O$XKMo3&CH!NH3bZlCB,֦x7~e[*IS,Sc%'T# ojF%IEd;m Y֣s^g& I͡3k*N/ @@A"}:u4LO=@{+tސ^ЙHm{Q-ح=s9Uu S̈́1Jz^!W{ VH8FVcbv8'I V!V92qn)h #V&2My 8LZ G܋x E-HE۔@Kx g*ћvn 7e0{yg"_~kpmdo8x5 `VO%[afe/8TH/5P#yxWt)_(/bf6GJ+בQUx:_Kƪ7V

|/`j}=f\I#[;iQqJP#LxuXGs=}kNznQPsVǁC_zs_N |_B]oD`ؤlNtIp-k$$L;#V?BglG04u249z˞wf,(MH8 S F!7Wl{66TM EĬF ܼ5٣T  B5BG# !>x>)*lzcӚ Dp5h;\cg[z?yh,sx/3vZ/r]̲Wbş / 7(&),8fL?D%R_<#ķznGqަI4&4ggf5AN1g6.{M_Pso&~lVS0R=zf3@VEM[~1˻tѥdToJYf&VC|_~߱ -c3!zBdd`hRI/N& ZHcc;w` 8e[Y^@gb ,MI"%g ^:]ݽ]Ť|sLM<%]"R7FT[ݷ(1C̫u״d=ՙD kq$!Zp6P]?zUcbab\aL~!χx~{QYd$#D<k_AG-'ˤjgϡ6%f֧QIHv^EHc2@@dƮ'@amIYx1K#M .b 7Dy uM|w#o=?n%e,,D!ޒA~235?q'G#&ФC>y| [GM>oqd^x+uD7۱,ē{ͮqGRJAk)'>?H-U6ZgI XŢW\gG(j ۄ'*FWO|K@r+ w-kQǴ'1$R u^t᷍Bx6%Nvpn Hۡ[57A\N{=yBMh>#Ծ3]FW'b^m9'0c0,9+ߛd_a9eEd[h IlwAQg')q8 @əfke| 7/HiTa.Ye?l'(Ld.<=iUh%&MFRxw42u4¿J\ E&SxcL}xaaF e&ٝ7 gFaٽ[!ʃZ+=m~'ƖE*P5;mB3-<̢>[pzfoV0$#wA>pw<|S,U{Z~KB?{tt=l@1"s?"q:N ~NP_FG ׀gbxBW7˽}D['ɍC*yhb#3@|0\Ǎ6K윓M﷯{aEt樯Md=_:}GT7#ag(4< T@# (zl&YFp 0G#1CLD:5L[lFN1y/ c-/uOcZ|"{X#&3r)9Fv_a"_G/@QR,tQ:..( oI[Pk,(ϱB5bSJDmn$|s ^5"fHs9"([]ă0>]h١_/:GAp͒wf~ 6t ^-pV#ߛjS?X-ۺ9P'9f#L/?gN+2ʡsQdC/( y|s_d/}/2{ȠE^^d'eSFeQ~0{ s!?0~ׅw3?]/ rqWU?{^}~_?}OP)'ߧ @MV9M@7d_|yʛrּ…)QFy98rEUrXB]dCy><_`fkWtsf_2̭L/n+\a( g-U兗fZcn5:@ba/! c|U$X2M"[#(yE#BhtoD.b!Ix=0?Mu{1پWߕ\*ܢ}:aOޕXE 9 8W0ǦY iw(c#hR{H9ѭ]\z[GܻğZa=PW].6ppSnoLT` }EÝxvYi5VlNA6KE>YlفKh O WX-Jaġ$}x <A//u>赏?^wS߭ҾlmОOE>~3XV)pF F^a%1zIfOa4Gk|-WCդz MH3f91-cH$7JIUKJ~+jZ#\Dv0qGt[ cR 5w9سV˥*D`Q9#Tx|Dei櫄:9IC@b&{h[^c4p%EХcon˘H͛YHE572;MHJ D`fA0Jb'c{8z50$h8so`cBm 6#clɢM51|Ku̿z2Wen>TME~[,i܁z<h#{xqnڔSÏz T z" mρ .LEkzq;28(,edI[h"fx¦DX֮'kn@aƐckDUIn_!x'Gk`ؼ<"C0Hk$X 9s]^ȇ^zK;-Fs 0)/-c8mtR -\`Z|vv̹԰MLƲH_b}. S@%9 ?cc6HO,msgrlk:vܙ%̋_Ba2\Hx kYoc3gz׳;<v;͇MVek[$\v/-S-Wurcd+yf:ePEXl+R+Ke$Vi qSGghwq#b u1u+e!*1:SӏUXgw{**v QmQ/pSTVD' /߶5pݜ3Qa[_{zwn}#\ af#3ccƫRdGB^#Lnm^^ktiD)Ѱ0$L;,lyEE%%ØrNCb 0Ic:%brYMS cJ\gGۂ~+2GS<"Y8.쑥"P߯-d+KW̱0Kul#^"hOcV\3zf7Z31zBO 3l)j1Bi>eٍ1}arrW`0MJkAsLeUtCJYEL`2;`+ Nŵt&vж?8هl"~&n+ف,{[нTnpLK-8a >"FLNDN<<Sf}')VSL_Xћ_<|D+O  + RSq|>o/ݍ7,{ٗN<|XYp0z3ba'*iwN+, -MGݏ-)h,=R$Du IJzWVsyuM+_1j-<G93Vj,D