Slashdot Mirror

← Back to Stories (view on slashdot.org)

Criminals Attacking Myspace, Facebook IE Plugins

Posted by kdawson on from the unplug-for-safety dept.

An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."

3 of 70 comments (clear)

  1. ActiveX is not the problem per se by zootie · · Score: 5, Interesting

    ActiveX is a way to extend the browser, to make the web site better for -at least Windows- users (and overcome some of the limitations of good old fashioned HTML/HTTP). Truth is that even standards compliant web sites leave something to be desired when compared with native desktop applications. ActiveX gets the bum rap because it is the entry point (a generic API). The real culprits are third party programmers.

    After 15+ years of Internet explosion, you'd expect that we would be doing better in security, and that we wouldn't miss desktop apps. There is a dire need for better web apps that blend better with the local system.

    In fact, while many of us might look forward to Web 2.0 using Ajax/JSON et al, there is a bit of a growing movement in non-standards based environments: Flash and Silverlight are emerging as full fledged OS-like environments inside the browser. Instead of re-inventing the OS using the browser with an interpreted (slow) language (like Netscape, and Java -client- tried to do), you have Adobe and MS coming up with a graphics friendly and programming flexible alternatives within their own ActiveX controls (which are blazing fast because the core is in C++, and the content is pre-compiled). As much as Flash is maligned, I wouldn't be surprised if in 10 years it takes over the Internet, and the browser is little more than a tool to deliver flash content.

    1. Re:ActiveX is not the problem per se by pembo13 · · Score: 2, Interesting

      I really hope that never happens. Too many websites are in flash as it is. Darn you for wishing for more.

      --
      "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
  2. Re:Get rid of ActiveX by DigitAl56K · · Score: 2, Interesting

    Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful. Flash? DivX Web Player? You don't use either?

    IE7 running on Vista is also secured against many things these controls could do to a system maliciously, even if they were compromised. System APIs that provide access to the registry and file system are restricted for low integrity processes such that you can only address very specific, usually virtualized locations.

    Firefox plug-ins, btw, are DLL files, and I don't see how that's so wildly different?

    Final thought: I just used Vista and IE7 to defend Microsoft, I may have to go throw up now.