Slashdot Mirror

← Back to Stories (view on slashdot.org)

Criminals Attacking Myspace, Facebook IE Plugins

Posted by kdawson on from the unplug-for-safety dept.

An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."

21 of 70 comments (clear)

  1. Get rid of ActiveX by CastrTroy · · Score: 5, Insightful

    Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful. It's nice that IE7 is somewhat standards compliant, and that IE8 will be even moreso, but if they can't fix/remove activeX, I think that they will really lose a lot more users to the more secure browsers.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:Get rid of ActiveX by calebt3 · · Score: 4, Informative

      I think Windows Update still uses it on XP.

    2. Re:Get rid of ActiveX by Tablizer · · Score: 3, Insightful

      Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful.

      It's when companies invent custom doodads to do something "fancy" or different and one cannot use that fancy/different service unless they install the given Active-X applet. At work, there is a service that one person needs to do their job, and installing the custom Active-X thing is the only way to get access to the service. It is forced upon them. It is almost like a lawyer saying, "You can have the video evidence for your case, but I will only give it to you on a Betamax tape."

      It probably could have been done another way, but somebody at the other end didn't think it through. Or, perhaps wanted to pad their resume with "Active-X" and so invented a reason.

      --
      Table-ized A.I.
    3. Re:Get rid of ActiveX by DigitAl56K · · Score: 2, Interesting

      Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful. Flash? DivX Web Player? You don't use either?

      IE7 running on Vista is also secured against many things these controls could do to a system maliciously, even if they were compromised. System APIs that provide access to the registry and file system are restricted for low integrity processes such that you can only address very specific, usually virtualized locations.

      Firefox plug-ins, btw, are DLL files, and I don't see how that's so wildly different?

      Final thought: I just used Vista and IE7 to defend Microsoft, I may have to go throw up now.
    4. Re:Get rid of ActiveX by The+MAZZTer · · Score: 3, Informative

      The Automatic Updates tool only allows you to get critical updates, and only when it checks once a day or whatever.

    5. Re:Get rid of ActiveX by ericlondaits · · Score: 5, Informative

      Installation of Firefox add-ons (via XPI files) is just a "Yes/No" dialog away. The dialog appears when you attempt to navigate to an XPI file. Also, toolbars and other stuff in Firefox DO have executable code... usually it's just JS, but they can be made to use native DLLs as well. Perhaps you're confusing the fact that their layout is handled through XUL (which is an XML language akin to an HTML for UI layouts), but all interaction and functionality is provided through executable code. I'm not familiar enough with Firefox's security model, but I don't see why a vulnerable Firefox Add-on couldn't be exploited... through their APi they can access the filesystem, get full access to your browser's content, cookies, inject content in 3rd party pages, etc. so the potential is there. It's much easier to exploit vulnerabilities in plug-ins (either Firefox plug-ins or IE Active X) because a page can usually force execution of its functionality by itself... whereas most FF add-ons are activated by the user through the UI, and not by the web content (though popular exceptions to the rule exist, like Ad-Block).

      --
      As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
  2. ActiveX = the IE culprit? by Slorv · · Score: 2, Insightful

    I know little about Windows programming but ActiveX seems to be the source for many of the problems with IE and Windows security.
    Why is it still used so much by commercial actors like Facebook, or not secured by MS?

    --
    Bikers.....The only people that understand why a dog hangs his head out a car window.
    1. Re:ActiveX = the IE culprit? by ILuvRamen · · Score: 5, Informative

      I'll break it down for you. An activeX is basically a program you download that any website can run on your computer. Yeah that kinda sums it up. If the activeX isn't 100% secure, a website can hack you with it. I usually use an activeX once if completely necessary then delete it instead of leaving it sit around.

      --
      Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
    2. Re:ActiveX = the IE culprit? by WD · · Score: 4, Insightful

      "ActiveX" itself is not necessarily the problem. ActiveX is a commonly used format for packaging native code in a way that it can be used by Internet Explorer. If that code contains a flaw, then Internet Explorer can be used as an attack vector for that buggy code. For example, if that code is written in C and it doesn't properly handle strings, it may be vulnerable to a buffer overflow that can reached by viewing a web page. That holds true whether that code is packaged as an ActiveX control or a Netscape-style plugin.

      Plug-ins (including ActiveX) are dangerous. ActiveX is much more ubiquitous than Netscape-style plugins. For example, nearly every windows application comes with ActiveX or COM objects, but it's very rare for them to install Netscape-style plugins. Therefore, using Internet Explorer with ActiveX enabled for all sites on the internet (the default configuration) is dangerous because you're relying on all of these components to be written securely.

      Secure your web browser and you'll be much better off.

    3. Re:ActiveX = the IE culprit? by zootie · · Score: 2, Insightful

      Indeed. It is just an extension mechanism. The component themselves have to be marked as "safe for scripting", and newer versions of IE don't enable ActiveX in public zones by default.

      A problem is that users have dialog fatigue and don't read nor undestand when they get the prompts. Then again, most would trust Yahoo/MySpace/Facebook anyway if they get the prompt.

    4. Re:ActiveX = the IE culprit? by Constantine+XVI · · Score: 2, Informative

      If memory serves, both Flash and Java are implemented in IE via ActiveX.

      --
      "I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
    5. Re:ActiveX = the IE culprit? by billcopc · · Score: 2, Informative

      I'm pretty sure the parent was referring to a one-time-use VNC server, as would be used in a remote tech support scenario. Dell uses that sort of thing.

      --
      -Billco, Fnarg.com
  3. Limited user anyone? by Anonymous Coward · · Score: 5, Informative

    I run as a limited user . I was attacked .
    Instead of getting crap installed, an error in my security log about an Active X control not having required permissions to install
    So I must ask, How many are vulnerable merely because they foolishly surf as Owner/ Administrator?
    You might that this make no difference, but here, you would be wrong.

  4. Apologies, but... by gardyloo · · Score: 3, Insightful

    I apologize to any *individual* who may have been hit hard by these 'sploits. But if they're forcing better security on those sites, and hitting IE hard, I say Good For The "Criminals"!

  5. Good reminder for the Mozilla extensions by pembo13 · · Score: 4, Insightful

    To check twice as hard for security flaws.

    --
    "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
  6. ActiveX is not the problem per se by zootie · · Score: 5, Interesting

    ActiveX is a way to extend the browser, to make the web site better for -at least Windows- users (and overcome some of the limitations of good old fashioned HTML/HTTP). Truth is that even standards compliant web sites leave something to be desired when compared with native desktop applications. ActiveX gets the bum rap because it is the entry point (a generic API). The real culprits are third party programmers.

    After 15+ years of Internet explosion, you'd expect that we would be doing better in security, and that we wouldn't miss desktop apps. There is a dire need for better web apps that blend better with the local system.

    In fact, while many of us might look forward to Web 2.0 using Ajax/JSON et al, there is a bit of a growing movement in non-standards based environments: Flash and Silverlight are emerging as full fledged OS-like environments inside the browser. Instead of re-inventing the OS using the browser with an interpreted (slow) language (like Netscape, and Java -client- tried to do), you have Adobe and MS coming up with a graphics friendly and programming flexible alternatives within their own ActiveX controls (which are blazing fast because the core is in C++, and the content is pre-compiled). As much as Flash is maligned, I wouldn't be surprised if in 10 years it takes over the Internet, and the browser is little more than a tool to deliver flash content.

    1. Re:ActiveX is not the problem per se by pembo13 · · Score: 2, Interesting

      I really hope that never happens. Too many websites are in flash as it is. Darn you for wishing for more.

      --
      "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
    2. Re:ActiveX is not the problem per se by ladybugfi · · Score: 2

      ActiveX is a way to extend the browser.... ActiveX gets the bum rap because it is the entry point (a generic API). The real culprits are third party programmers. I strongly disagree. ActiveX has a bad reputation for a reason: it has a very poor security model for its intended use.

      Securitywise, Flash isn't as good as it could be. It seems that the security features have been a gradual add-on features over the years instead of being designed as an integral part of the system from day one. And that approach has never really worked well. For example, as far as I know, you can't digitally sign SWF files.
  7. Re:Limited user anyone? by DNS-and-BIND · · Score: 4, Insightful
    I find it incredible how much you can't do as an XP limited account.

    That's kind of the idea there, buddy. Bringing network interfaces up and down is definitely an administrative task. If XP were a real operating system, it'd have some way to temporarily become administrator during a session. Even "run as Administrator" with the proper password doesn't work for tons of programs, QQ and Alibaba Trade Manager being the offenders I'm pissed off with currently.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  8. Re:Limited user anyone? by calebt3 · · Score: 2

    That's why we can get paid so much as a PC Technician.

  9. IE7 does not disable ActiveX in public zones by WD · · Score: 4, Informative

    Your statement is incorrect. Newer versions of IE (IE7) does indeed have ActiveX enabled in the Internet zone. It does have a feature called ActiveX opt-in, which requires the user to accept a prompt before running controls installed by most stand-alone applications. However, ActiveX controls that are installed through IE (Such as the Myspace and Facebook controls mentioned in this article) are automatically opted-in during the install process. So IE7 would provide no additional protection in this case.