Image uploader bug blights MySpace

By John Leyden → More by this author

1 Feb 2008 13:02

Nasty ActiveExploit

Security flaws in an ActiveX control used in MySpace upload images onto the social networking sites leave users open to attack. Facebook users may also be at risk.

A buffer overflow vulnerability in Aurigma's Image Uploader Control Library might be used to compromise a user's system. The affected control is used for uploading images onto social networking sites using Microsoft's Internet Explorer. Users might be vulnerable if tricked into visiting a specially crafted web page that exploits the vulnerability.

The flaw was first reported by Elazar Broad on a full disclosure mailing list, who said that the vulnerable control was used by MySpace. Facebook also reportedly repackages the Aurigma control, though which version it uses is unclear. Broad reported the problem to Aurigma.

Aurigma, a Washington-based software developer, acknowledged that version 4.5.70 of its control was vulnerable but said that later versions of its software were safe from attack. It didn't comment on the use of its software on social networking sites.

Security notification firm Secunia advises MySpace users to set the "kill-bit" for the affected ActiveX control, which is known as MySpaceUploader.ocx version 1.0.0.4. Advise from Microsoft on how to disable vulnerable ActiveX controls can be found here. ®

6 comments posted — Comment period finished

Track this type of story as a custom Atom/RSS feed or by email.

MySpace wins lawsuit against Spamford Wallace (29 April 2008)
Smut blocking? We're more bothered about Bebo (23 April 2008)
Facebook Troll sends mob against Cluley (23 April 2008)
Compromised legit sites power hack attacks (8 April 2008)
Link spammers go on social networking rampage (2 April 2008)
Orkut worm feeds on scraps (29 February 2008)
Exploit for 'extremely critical' Yahoo Jukebox vuln goes wild (5 February 2008)
MySpace to throw out code (4 February 2008)
Et tu, Gmail? Simple hack defeats last barrier to decades-old attack (1 February 2008)
Poisoned MySpace page masquerades as Windows Update (12 January 2008)
Facebook blocks Secret Crush over adware row (8 January 2008)
Portuguese-speaking worm attacks Google Orkut users (19 December 2007)
Alicia Keys hit by MySpace Trojan hack (9 November 2007)
Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users (11 September 2007)

Top 20 stories All The Week’s Headlines

Whitepapers
Redefining FOTA deployment in EMEA How To Tackle Enterprise Spyware Protecting Online Customers from Man-in-the-Middle Attacks Mobile Computing : Opportunities and Risk

Breaking Hardware News

Rogue SF sysadmin coughs up passwords

City regains access to its own network

San Francisco City Council regained access to its own computer network today after Mayor Gavin Newsom convinced network administrator Terry Childs to give them the passwords.

Get the ChannelReg newsletters

Related Whitepapers

Solution Brief: Reduce Energy Costs
With Green IT Solutions
What Every E-Business Should Know about SSL Security and Consumer Trust
A Verisign Business Guide
Server Consolidation and Containment
With Virtual Infrastructure
SSL in High-Security Browsers
The Browser Security Revolution
Making Green IT a Reality
Customer Perspectives on the Impact of Storage Vendor Decisions on Power, Cooling, & Space in Enterprise Data Centers
How IT Management Can "Green" the Data Center
A Gartner Report

Top Stories