Slashdot Mirror

← Back to Stories (view on slashdot.org)

Criminals Attacking Myspace, Facebook IE Plugins

Posted by kdawson on from the unplug-for-safety dept.

An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."

3 of 70 comments (clear)

  1. Re:ActiveX = the IE culprit? by ILuvRamen · · Score: 5, Informative

    I'll break it down for you. An activeX is basically a program you download that any website can run on your computer. Yeah that kinda sums it up. If the activeX isn't 100% secure, a website can hack you with it. I usually use an activeX once if completely necessary then delete it instead of leaving it sit around.

    --
    Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
  2. Limited user anyone? by Anonymous Coward · · Score: 5, Informative

    I run as a limited user . I was attacked .
    Instead of getting crap installed, an error in my security log about an Active X control not having required permissions to install
    So I must ask, How many are vulnerable merely because they foolishly surf as Owner/ Administrator?
    You might that this make no difference, but here, you would be wrong.

  3. Re:Get rid of ActiveX by ericlondaits · · Score: 5, Informative

    Installation of Firefox add-ons (via XPI files) is just a "Yes/No" dialog away. The dialog appears when you attempt to navigate to an XPI file. Also, toolbars and other stuff in Firefox DO have executable code... usually it's just JS, but they can be made to use native DLLs as well. Perhaps you're confusing the fact that their layout is handled through XUL (which is an XML language akin to an HTML for UI layouts), but all interaction and functionality is provided through executable code. I'm not familiar enough with Firefox's security model, but I don't see why a vulnerable Firefox Add-on couldn't be exploited... through their APi they can access the filesystem, get full access to your browser's content, cookies, inject content in 3rd party pages, etc. so the potential is there. It's much easier to exploit vulnerabilities in plug-ins (either Firefox plug-ins or IE Active X) because a page can usually force execution of its functionality by itself... whereas most FF add-ons are activated by the user through the UI, and not by the web content (though popular exceptions to the rule exist, like Ad-Block).

    --
    As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.