Criminals Attacking Myspace, Facebook IE Plugins

← Back to Stories (view on slashdot.org)

Criminals Attacking Myspace, Facebook IE Plugins

Posted by kdawson on Saturday February 23, 2008 @07:09AM from the unplug-for-safety dept.

An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."

5 of 70 comments (clear)

Min score:

Reason:

Sort:

Get rid of ActiveX by CastrTroy · 2008-02-23 07:11 · Score: 5, Insightful

Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful. It's nice that IE7 is somewhat standards compliant, and that IE8 will be even moreso, but if they can't fix/remove activeX, I think that they will really lose a lot more users to the more secure browsers.

--

Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
1. Re:Get rid of ActiveX by ericlondaits · 2008-02-23 10:32 · Score: 5, Informative
  
  Installation of Firefox add-ons (via XPI files) is just a "Yes/No" dialog away. The dialog appears when you attempt to navigate to an XPI file. Also, toolbars and other stuff in Firefox DO have executable code... usually it's just JS, but they can be made to use native DLLs as well. Perhaps you're confusing the fact that their layout is handled through XUL (which is an XML language akin to an HTML for UI layouts), but all interaction and functionality is provided through executable code. I'm not familiar enough with Firefox's security model, but I don't see why a vulnerable Firefox Add-on couldn't be exploited... through their APi they can access the filesystem, get full access to your browser's content, cookies, inject content in 3rd party pages, etc. so the potential is there. It's much easier to exploit vulnerabilities in plug-ins (either Firefox plug-ins or IE Active X) because a page can usually force execution of its functionality by itself... whereas most FF add-ons are activated by the user through the UI, and not by the web content (though popular exceptions to the rule exist, like Ad-Block).
  
  --
  As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
Re:ActiveX = the IE culprit? by ILuvRamen · 2008-02-23 07:19 · Score: 5, Informative

I'll break it down for you. An activeX is basically a program you download that any website can run on your computer. Yeah that kinda sums it up. If the activeX isn't 100% secure, a website can hack you with it. I usually use an activeX once if completely necessary then delete it instead of leaving it sit around.

--
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Limited user anyone? by Anonymous Coward · 2008-02-23 07:22 · Score: 5, Informative

I run as a limited user . I was attacked .
Instead of getting crap installed, an error in my security log about an Active X control not having required permissions to install
So I must ask, How many are vulnerable merely because they foolishly surf as Owner/ Administrator?
You might that this make no difference, but here, you would be wrong.
ActiveX is not the problem per se by zootie · 2008-02-23 07:49 · Score: 5, Interesting

ActiveX is a way to extend the browser, to make the web site better for -at least Windows- users (and overcome some of the limitations of good old fashioned HTML/HTTP). Truth is that even standards compliant web sites leave something to be desired when compared with native desktop applications. ActiveX gets the bum rap because it is the entry point (a generic API). The real culprits are third party programmers.

After 15+ years of Internet explosion, you'd expect that we would be doing better in security, and that we wouldn't miss desktop apps. There is a dire need for better web apps that blend better with the local system.

In fact, while many of us might look forward to Web 2.0 using Ajax/JSON et al, there is a bit of a growing movement in non-standards based environments: Flash and Silverlight are emerging as full fledged OS-like environments inside the browser. Instead of re-inventing the OS using the browser with an interpreted (slow) language (like Netscape, and Java -client- tried to do), you have Adobe and MS coming up with a graphics friendly and programming flexible alternatives within their own ActiveX controls (which are blazing fast because the core is in C++, and the content is pre-compiled). As much as Flash is maligned, I wouldn't be surprised if in 10 years it takes over the Internet, and the browser is little more than a tool to deliver flash content.