MySpace and Facebook struck by security flaw

By Justin Mann on February 1, 2008, 8:30 PM
Both MySpace and Facebook have come under the security microscope with the publication of a zero-day flaw that affects both sites. The flaw lies within the image uploader that both sites use, which is obviously a very popular and commonly used function. If exploited, the flaw can result in a buffer overflow that could lead to code execution on someone's computer and ultimately machine compromise. Even less surprising, the flaw is inside an ActiveX control. Assuming you are using a browser that doesn't support ActiveX, you're out of harms way.

Secunia has rated the flaw as highly critical, and as of the time of this post no patch has been formerly announced. However, a little-known feature of ActiveX known as the kill bit can be enabled that will prevent the exploit from being able to affect you.




User Comments: 5

Got something to say? Post a comment
phantasm66 said:
These social networking sites are such a great attack vector for malware.
vocoda said:
Actually, the networking sites are no more an "attack vector" for malware than any other website. Micro$oft Exploder and it's broken add-ons are the root cause of all malware evil.
phantasm66 said:
Yes, but if you have a social networking page, I KNOW you will visit it, and visit it often.Therefore, if I exploit a vulnerability in Facebook, for example, and add something bad to your page for IE to run, I KNOW that you will visit that page and run the exploit code pretty soon after I place it. Not only that, but you are likely to visit your page from a number of machines. Your "friends" will also visit your page, and I can get an idea of who your friends are just by looking at your page.Additionally, I think you will find that, whilst IE does have many security issues, many of the attacks that work with social networking sites work in just about any browser.So, you see, the social networking sites are a great attack vector. They are open, accessible, public, have security issues, and you and your mates are likely to visit them and load them in your browsers often.Many security guys refuse to have a social networking site page for these reasons.
madmantm said:
I have a facebook and myspace account. I loke them but I hate people who put way to much time in them. It is a good way to keep in touch but people need to go out more. Experience life. I found a link that decribes how I feel. Its old blue eyes telling it like it is.[url]http://americancomedynetwork.com/animation.html?bit_
d=25239[/url]
vocoda said:
Yeah I have a Facebook and MySpace account too, they are great fun compared to basic posting/blogging IMHO - and I actually do have a life offline (in the real werld!). I stopped worrying about hack-attacks once I got Firefox, Anti-Spyware, Anti-Virus, and Firewall on my PC (with regular updates). Sure, there will always be fresh exploits to deal with, but from what I've seen over the past 12 years the worst ones are thru vectors such as email, office apps, and website drive-bys when surfing from search engines. Agreed that social networkings is a good target too, but I would class this as just another website attack. ActiveX controls in particular have been problematic since day one, as evidenced by MS repeated attempts to secure them over the years. Use ActiveX at your own risk - I do :)
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.