0 Replies Latest reply on Feb 5, 2008 11:11 AM by HarryWaldron

    ActiveX Vulnerabilities - Facebook, MySpace and Yahoo

      There are warnings for at least 6 Active controls that may experience buffer overflows or crashes and thus be subject to exploit developments So far there are no known in-the-wild attacks and in using the ISC's GUI based tool (link at the bottom) I had no exposures on my current system.

      ActiveX Vulnerabilities - Facebook, MySpace and Yahoo
      http://www.eweek.com/c/a/Security/ActiveX-Under-Seige-Facebook-MySpace-Image-Upl oaders-Vulnerable/
      http://www.us-cert.gov/current/index.html#publicly_available_exploit_for_faceboo k
      http://www.kb.cert.org/vuls/id/776931

      Six key sites and Killbits for those sites
      http://isc.sans.org/diary.html?storyid=3929
      http://isc.sans.org/diary.html?storyid=3931

      QUOTE: The US-CERT is urging Web surfers to immediately disable ActiveX controls from Internet Explorer to protect against a swath of publicly reported—and unpatched—software vulnerabilities.

      The US-CERT (Computer Emergency Response Team) recommendation follows the release of exploit code for multiple zero-day flaws in image uploaders used by Facebook and MySpace and bugs in the ActiveX control that ships with the Yahoo Music Jukebox software.

      According to Erik Kamerling, a vulnerability analyst at Symantec's DeepSight threat center, the availability of exploits for flaws in high-profile targets like Facebook and MySpace is cause for concern.

      Although Symantec is unaware of in-the-wild exploitation of the ActiveX flaws, there's a feeling that attacks are inevitable. Admins are advised to set the kill bit for the following CLSIDs as soon as possible:

      Aurigma: CLSID 6E5E167B-1566-4316-B27F-0DDAB3484CF7 ('ImageUploader4.ocx')
      Aurigma: CLSID BA162249-F2C5-4851-8ADC-FC58CB424243 ('ImageUploader5')
      Facebook: CLSID 5C6698D9-7BE4-4122-8EC5-291D84DBD4A0
      Yahoo! MediaGrid: CLSID 22FD7C0A-850C-4A53-9821-0B0915C96139
      Yahoo! DataGrid: CLSID 5F810AFC-BB5F-4416-BE63-E01DD117BD6C2


      ISC GUI Tool can be downloaded from here:
      http://handlers.sans.org/tliston/KillBitGui-Feb08.exe

      Note - Using the GUI tool, you can run this and check for any vulnerabilities. You can also check the boxes to set the killbits if desired (these ActiveX controls would only be available for MySpace, Facebook, and Yahoo Juke Box users)