Main Marketing Finance C.Suite
Small Business Centre Mid-Sized Business Centre
Email the Editor Email the Editor   Email a Friend Email a Friend about this article   Print this Page  Print friendly page

Facebook, MySpace users at risk from unpatched flaw

Code exploiting the flaw has been publicly released on the milw0rm.com website, making it only a matter of time before attacks are put into place, researchers said.
2/4/2008 6:15:00 AM By: Matthew Broersma


Exploit code affecting an unpatched flaw in an image uploader used by both Facebook and MySpace is circulating publicly, putting users of the social networking sites at risk, according to security researchers.

On the Full Disclosure security mailing list, researcher Elazar Broad disclosed a vulnerability in the Aurigma Image Uploader, an application used by Facebook and MySpace. Exploitation of the bug could allow an attacker to execute malicious code on a user's system.

Code exploiting the flaw has been publicly released on the milw0rm.com website, making it only a matter of time before attacks are put into place, researchers said.

The vulnerability is due to a boundary error in the ActiveX control Aurigma.ImageUploader.4.1 when handling strings assigned to the "Action" property, according to security firm Secunia.

This can be exploited to cause a buffer overflow by assigning an overly long string to the affected property, Secunia said.

Secunia said it had verified the flaw in ImageUploader4.ocx version 4.5.70.0, and assigned it a "highly critical" rating. Other versions are also likely to be affected, Secunia said.

Since no patch is available yet, researchers advised users to set the kill-bit for the Aurigma ActiveX control.

Social networking sites have exploded in popularity in recent months and have become accepted as business tools in some quarters, leading to security concerns.

In December, WorkLight released a tool designed to allow companies to provide employees with access to Facebook while ensuring the social network is run from behind secure corporate firewalls.

Earlier in 2007 Sophos found that Facebook users are too gullible in giving up personal information, making them targets for identity theft.
share: Twitter Facebook Digg
Sign up for our IT Business Newsletters
<< Back
Bookmark:  delicious |   Google |   Technorati |   StumbleIt |   Yahoo!

Email a Friend Print This page
Related Articles
Novell uses BrainShare to demo its SharePoint r...
e-Dentity melds Web with pop culture
CIPS, CATA plan joint effort on ISP designation


blog comments powered by Disqus