Hackers Target MySpace and Facebook

Stony Stevenson writes "The security firm Fortify Software has warned against a series of attacks against Facebook and MySpace. Buffer overflows that enabled hackers to exploit the Aurigma ActiveX image uploading software used by social networking sites were at the heart of the assault. 'Criminal hackers now view social networking sites as their best target for attacks ... [partially because] such sites are designed to be usable by "unsophisticated" consumers, meaning that the barrier to entry for attacks is potentially lower as users are more likely to click on a link that leads to malware.'"

Re:That...

[palegray.net]

Given the fact that it's a client-side issue, it's far more likely the attackers are looking to achieve two goals with this sort of exploit:

1. Turn the client computer into a zombie, which participates in the attacker's efforts to spew out spam and scan networks for machines vulnerable to other exploits.
   
   
2. Scan the user's local machine and any network shares for "interesting" data that might be used to compromise financial institution accounts.
   
   
3. Capture login information on the local machine and relay it to the attacker.

The contents of the user's MySpace or Facebook profile information probably ranks rather low on the list of useful information.

Re:Internet Explorer based exploit

[palegray.net]

The ActiveX control doesn't come with IE; it's hosted on the servers that provide the social networking service and loaded into your browser when you elect to upload an image to your profile. What I find really interesting is the date this vulnerability was first published: 02/04/2008 11:26:53 AM