Facebook, MySpace hit by zero-day flaw
Attack code circulates for unpatched bug.
By Matthew Broersma | Techworld | Published: 14:30, 01 February 2008
Exploit code affecting an unpatched flaw in an image uploader used by both Facebook and MySpace is circulating publicly, putting users of the social networking sites at risk, according to security researchers.
On the Full Disclosure security mailing list, researcher Elazar Broad disclosed a vulnerability in the Aurigma Image Uploader, an application used by Facebook and MySpace. Exploitation of the bug could allow an attacker to execute malicious code on a user's system.
Code exploiting the flaw has been publicly released on the milw0rm.com website, making it only a matter of time before attacks are put into place, researchers said.
Related Articles on Techworld
The vulnerability is due to a boundary error in the ActiveX control Aurigma.ImageUploader.4.1 when handling strings assigned to the "Action" property, according to security firm Secunia.
This can be exploited to cause a buffer overflow by assigning an overly long string to the affected property, Secunia said.
Secunia said it had verified the flaw in ImageUploader4.ocx version 4.5.70.0, and assigned it a "highly critical" rating. Other versions are also likely to be affected, Secunia said.
Since no patch is available yet, researchers advised users to set the kill-bit for the Aurigma ActiveX control.
Social networking sites have exploded in popularity in recent months and have been accepted as business tools in some quarters, leading to security concerns.
In December, WorkLight released a tool designed to allow companies to provide employees with access to Facebook while ensuring the social network is run from behind secure corporate firewalls.
Earlier in 2007, Sophos found that Facebook users are too gullible in giving up personal information, making them targets for identity theft.
