Criminals Attacking Myspace, Facebook IE Plugins

An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."

Re:ActiveX = the IE culprit?

[ILuvRamen]

I'll break it down for you. An activeX is basically a program you download that any website can run on your computer. Yeah that kinda sums it up. If the activeX isn't 100% secure, a website can hack you with it. I usually use an activeX once if completely necessary then delete it instead of leaving it sit around.

Limited user anyone?

[Anonymous Coward]

I run as a limited user . I was attacked .
Instead of getting crap installed, an error in my security log about an Active X control not having required permissions to install
So I must ask, How many are vulnerable merely because they foolishly surf as Owner/ Administrator?
You might that this make no difference, but here, you would be wrong.

Re:Get rid of ActiveX

[calebt3]

I think Windows Update still uses it on XP.

Re:ActiveX = the IE culprit?

[Constantine XVI]

If memory serves, both Flash and Java are implemented in IE via ActiveX.

IE7 does not disable ActiveX in public zones

[WD]

Your statement is incorrect. Newer versions of IE (IE7) does indeed have ActiveX enabled in the Internet zone. It does have a feature called ActiveX opt-in, which requires the user to accept a prompt before running controls installed by most stand-alone applications. However, ActiveX controls that are installed through IE (Such as the Myspace and Facebook controls mentioned in this article) are automatically opted-in during the install process. So IE7 would provide no additional protection in this case.

Re:Get rid of ActiveX

[The MAZZTer]

The Automatic Updates tool only allows you to get critical updates, and only when it checks once a day or whatever.

Re:Get rid of ActiveX

[ericlondaits]

Installation of Firefox add-ons (via XPI files) is just a "Yes/No" dialog away. The dialog appears when you attempt to navigate to an XPI file. Also, toolbars and other stuff in Firefox DO have executable code... usually it's just JS, but they can be made to use native DLLs as well. Perhaps you're confusing the fact that their layout is handled through XUL (which is an XML language akin to an HTML for UI layouts), but all interaction and functionality is provided through executable code. I'm not familiar enough with Firefox's security model, but I don't see why a vulnerable Firefox Add-on couldn't be exploited... through their APi they can access the filesystem, get full access to your browser's content, cookies, inject content in 3rd party pages, etc. so the potential is there. It's much easier to exploit vulnerabilities in plug-ins (either Firefox plug-ins or IE Active X) because a page can usually force execution of its functionality by itself... whereas most FF add-ons are activated by the user through the UI, and not by the web content (though popular exceptions to the rule exist, like Ad-Block).

Re:ActiveX = the IE culprit?

[billcopc]

I'm pretty sure the parent was referring to a one-time-use VNC server, as would be used in a remote tech support scenario. Dell uses that sort of thing.