Criminals Attacking Myspace, Facebook IE Plugins

An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."

Get rid of ActiveX

[CastrTroy]

Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful. It's nice that IE7 is somewhat standards compliant, and that IE8 will be even moreso, but if they can't fix/remove activeX, I think that they will really lose a lot more users to the more secure browsers.

ActiveX = the IE culprit?

[Slorv]

I know little about Windows programming but ActiveX seems to be the source for many of the problems with IE and Windows security.
Why is it still used so much by commercial actors like Facebook, or not secured by MS?

Apologies, but...

[gardyloo]

I apologize to any *individual* who may have been hit hard by these 'sploits. But if they're forcing better security on those sites, and hitting IE hard, I say Good For The "Criminals"!

Good reminder for the Mozilla extensions

[pembo13]

To check twice as hard for security flaws.

Re:Limited user anyone?

[DNS-and-BIND]

I find it incredible how much you can't do as an XP limited account.

That's kind of the idea there, buddy. Bringing network interfaces up and down is definitely an administrative task. If XP were a real operating system, it'd have some way to temporarily become administrator during a session. Even "run as Administrator" with the proper password doesn't work for tons of programs, QQ and Alibaba Trade Manager being the offenders I'm pissed off with currently.

Re:ActiveX = the IE culprit?

[WD]

"ActiveX" itself is not necessarily the problem. ActiveX is a commonly used format for packaging native code in a way that it can be used by Internet Explorer. If that code contains a flaw, then Internet Explorer can be used as an attack vector for that buggy code. For example, if that code is written in C and it doesn't properly handle strings, it may be vulnerable to a buffer overflow that can reached by viewing a web page. That holds true whether that code is packaged as an ActiveX control or a Netscape-style plugin.

Plug-ins (including ActiveX) are dangerous. ActiveX is much more ubiquitous than Netscape-style plugins. For example, nearly every windows application comes with ActiveX or COM objects, but it's very rare for them to install Netscape-style plugins. Therefore, using Internet Explorer with ActiveX enabled for all sites on the internet (the default configuration) is dangerous because you're relying on all of these components to be written securely.

Secure your web browser [cert.org] and you'll be much better off.

Re:ActiveX = the IE culprit?

[zootie]

Indeed. It is just an extension mechanism. The component themselves have to be marked as "safe for scripting", and newer versions of IE don't enable ActiveX in public zones by default.

A problem is that users have dialog fatigue and don't read nor undestand when they get the prompts. Then again, most would trust Yahoo/MySpace/Facebook anyway if they get the prompt.

Re:Get rid of ActiveX

[Tablizer]

Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful.

It's when companies invent custom doodads to do something "fancy" or different and one cannot use that fancy/different service unless they install the given Active-X applet. At work, there is a service that one person needs to do their job, and installing the custom Active-X thing is the only way to get access to the service. It is forced upon them. It is almost like a lawyer saying, "You can have the video evidence for your case, but I will only give it to you on a Betamax tape."

It probably could have been done another way, but somebody at the other end didn't think it through. Or, perhaps wanted to pad their resume with "Active-X" and so invented a reason.
         

Re:Limited user anyone?

[Anonymous Coward]

Moreover, they get pissed right the hell off when they try to go and do something and find "that goddamned security thing won't let me fuck up my computer"...

I've had any number of people bitch when they try to install their screen saver, or some other PoS bit of crapware doohickey their neice's best-friend got from an pseudo-anonymous myspace poster.

One of such user was my boss, who despised the notion of operating system security as being "crap that makes it hard (or impossible) to do whatever the hell you want to do to/on your computer whenever you want to do it." A condition that becomes very difficult when you're trying to explain to Jane/Joe user why they can't have permission to install screen-saver-du-jure and they complain to your boss who share's their perspective...

(Also, if you were talking about Vista, the average /.'r also thinks that extra security "just gets in the way" too... but that position is based on hating Microsoft, not anything to do with logic or rationality).

-AC