Criminals Attacking Myspace, Facebook IE Plugins 70
An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."
Get rid of ActiveX (Score:5, Insightful)
ActiveX = the IE culprit? (Score:2, Insightful)
Why is it still used so much by commercial actors like Facebook, or not secured by MS?
Apologies, but... (Score:4, Insightful)
Good reminder for the Mozilla extensions (Score:5, Insightful)
Re:Limited user anyone? (Score:5, Insightful)
That's kind of the idea there, buddy. Bringing network interfaces up and down is definitely an administrative task. If XP were a real operating system, it'd have some way to temporarily become administrator during a session. Even "run as Administrator" with the proper password doesn't work for tons of programs, QQ and Alibaba Trade Manager being the offenders I'm pissed off with currently.
Re:ActiveX = the IE culprit? (Score:5, Insightful)
Plug-ins (including ActiveX) are dangerous. ActiveX is much more ubiquitous than Netscape-style plugins. For example, nearly every windows application comes with ActiveX or COM objects, but it's very rare for them to install Netscape-style plugins. Therefore, using Internet Explorer with ActiveX enabled for all sites on the internet (the default configuration) is dangerous because you're relying on all of these components to be written securely.
Secure your web browser [cert.org] and you'll be much better off.
Re:ActiveX = the IE culprit? (Score:2, Insightful)
A problem is that users have dialog fatigue and don't read nor undestand when they get the prompts. Then again, most would trust Yahoo/MySpace/Facebook anyway if they get the prompt.
Re:Get rid of ActiveX (Score:3, Insightful)
It's when companies invent custom doodads to do something "fancy" or different and one cannot use that fancy/different service unless they install the given Active-X applet. At work, there is a service that one person needs to do their job, and installing the custom Active-X thing is the only way to get access to the service. It is forced upon them. It is almost like a lawyer saying, "You can have the video evidence for your case, but I will only give it to you on a Betamax tape."
It probably could have been done another way, but somebody at the other end didn't think it through. Or, perhaps wanted to pad their resume with "Active-X" and so invented a reason.
Re:Limited user anyone? (Score:1, Insightful)
I've had any number of people bitch when they try to install their screen saver, or some other PoS bit of crapware doohickey their neice's best-friend got from an pseudo-anonymous myspace poster.
One of such user was my boss, who despised the notion of operating system security as being "crap that makes it hard (or impossible) to do whatever the hell you want to do to/on your computer whenever you want to do it." A condition that becomes very difficult when you're trying to explain to Jane/Joe user why they can't have permission to install screen-saver-du-jure and they complain to your boss who share's their perspective...
(Also, if you were talking about Vista, the average
-AC