Facebook, MySpace users at risk from unpatched flaw

Exploit code affecting an unpatched flaw in an image uploader used by both Facebook and MySpace is circulating publicly, putting users of the social networking sites at risk, according to security researchers.

On the Full Disclosure security mailing list, researcher Elazar Broad disclosed a vulnerability in the Aurigma Image Uploader, an application used by Facebook and MySpace. Exploitation of the bug could allow an attacker to execute malicious code on a user’s system.

Code exploiting the flaw has been publicly released on the milw0rm.com website, making it only a matter of time before attacks are put into place, researchers said.

The vulnerability is due to a boundary error in the ActiveX control Aurigma.ImageUploader.4.1 when handling strings assigned to the “Action” property, according to security firm Secunia.

This can be exploited to cause a buffer overflow by assigning an overly long string to the affected property, Secunia said.

Secunia said it had verified the flaw in ImageUploader4.ocx version 4.5.70.0, and assigned it a “highly critical” rating. Other versions are also likely to be affected, Secunia said.

Since no patch is available yet, researchers advised users to set the kill-bit for the Aurigma ActiveX control.

Social networking sites have exploded in popularity in recent months and have become accepted as business tools in some quarters, leading to security concerns.

In December, WorkLight released a tool designed to allow companies to provide employees with access to Facebook while ensuring the social network is run from behind secure corporate firewalls.

Earlier in 2007 Sophos found that Facebook users are too gullible in giving up personal information, making them targets for identity theft.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs