Criminals Attacking Myspace, Facebook IE Plugins

An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."

Get rid of ActiveX

[CastrTroy]

Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful. It's nice that IE7 is somewhat standards compliant, and that IE8 will be even moreso, but if they can't fix/remove activeX, I think that they will really lose a lot more users to the more secure browsers.

Re:Get rid of ActiveX

[calebt3]

I think Windows Update still uses it on XP.

Re:

[misleb]

I think Windows Update still uses it on XP.

Don't most people just use the standalone update tool? Or is that only good for autoupdate?

-matthew

Re:Get rid of ActiveX

[The MAZZTer]

The Automatic Updates tool only allows you to get critical updates, and only when it checks once a day or whatever.

Re:

[kcbanner]

It's only for autoupdate and installing automatically downloaded updates.

Re:

[Tablizer]

Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful.

It's when companies invent custom doodads to do something "fancy" or different and one cannot use that fancy/different service unless they install the given Active-X applet. At work, there is a service that one person needs to do their job, and installing the custom Active-X thing is the only way to get access to the service. It is forced upon them. It is almost like a lawyer saying, "You

Re:

[billcopc]

Fine. ActiveX in a controlled environment can be useful in a backwards kind of way, even though I personally believe they should package such functionality as a standalone app in most corporate environments... but given how 99.44% of programmers aren't even worth the hot-dog meat, I guess we have to make compromises.

The one place where ActiveX does NOT belong, is on the intarwebs. I _far_ prefer the Firefox plugin system, where everything is Javascript and still runs in a sandbox. The petty little featu

Re:

[Tablizer]

Fine. ActiveX in a controlled environment can be useful in a backwards kind of way...

I don't understand your use of "fine". I did not promote Active-X. I was only describing circumstances where one is sort of forced into using such pluggins.
   

Re:

[Kalriath]

You describe Firefox ADDONS. Firefox PLUGINS are compiled DLL code written in languages like C++ - Netscape style. Apparently you trust Firefox addons (sandboxed javascript) a lot more than Firefox plugins (random bytecode)

Re:

[billcopc]

Correct, apologies for my ambiguity. I trust addons. I don't trust plugins. That said, I don't use many plugins other than the ubiquitous Flash and Shockwave.

Given what I've seen done with Firefox addons, I'm quite confident that most of the functionality that traditionally used ActiveX can be safely and completely replicated with Javascript and XUL. After all, most of them are simple UI mods.

Re:

[holophrastic]

Well yeah, but most of those UI mods are pure fluff -- completely useless for anything worthwhile. I don't really care about the "skin" of the application -- I'm not racist that way. There have been a number of activex controls that I've built into web apps for clients that necessarily need to be bytecode -- well, they necessarily need enough direct access to the machine in order to provide basic functionality that any exploits become real concerns.

Hey, something as simple as accessing files on the machin

Re:

[DigitAl56K]

Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful.

Flash? DivX Web Player? You don't use either?

IE7 running on Vista is also secured against many things these controls could do to a system maliciously, even if they were compromised. System APIs that provide access to the registry and file system are restricted for low integrity processes such that you can only address very specific, usually virtualized locations.

Firefox plug-ins, btw, are DLL files, and I don't see how that's so wildly different?

Final thought: I just used Vista and IE7 to defend Microsoft,

Re:

[cheater512]

The difference between Firefox plugins and IE ActiveX is with the latter anyone can make a website which throws up a yes or no box which users will click yes on and then it takes over their computer.

Also toolbars and other stuff in Firefox dont require any executable code at all and are thus less prone to attack.
Only things like Flash require executable code.

Re:Get rid of ActiveX

[ericlondaits]

Installation of Firefox add-ons (via XPI files) is just a "Yes/No" dialog away. The dialog appears when you attempt to navigate to an XPI file. Also, toolbars and other stuff in Firefox DO have executable code... usually it's just JS, but they can be made to use native DLLs as well. Perhaps you're confusing the fact that their layout is handled through XUL (which is an XML language akin to an HTML for UI layouts), but all interaction and functionality is provided through executable code. I'm not familiar enough with Firefox's security model, but I don't see why a vulnerable Firefox Add-on couldn't be exploited... through their APi they can access the filesystem, get full access to your browser's content, cookies, inject content in 3rd party pages, etc. so the potential is there. It's much easier to exploit vulnerabilities in plug-ins (either Firefox plug-ins or IE Active X) because a page can usually force execution of its functionality by itself... whereas most FF add-ons are activated by the user through the UI, and not by the web content (though popular exceptions to the rule exist, like Ad-Block).

Re:

[cheater512]

My point about the XUL was that its far harder to have a security flaw in your toolbar if you use it than if you make a IE toolbar.
Firefox handles all the tough code to make a toolbar and the XUL/js just does basic stuff.

Re:

[ericlondaits]

Defining UI through XUL it's not too different from how you do it in a Windows application (or an ActiveX control) through a Dialog definition in a .res file. Vulnerabilities in ActiveX don't have anything to do with UI... but rather with the exported interface.

With Firefox you really program most of the extension through JS... XUL just provides the UI that glues it together. But it's a bit like assuming that web pages are safe because you define them mostly through HTML... vulnerabilities through the use o

Re:

[cheater512]

Your completely misread my post.

Its far harder to make a toolbar with a vulnerability with XUL/JS than making one for IE.
TFA says that they are targeting specific IE toolbars with flaws. You couldnt do that with standard Firefox toolbars.

ActiveX = the IE culprit?

[Slorv]

I know little about Windows programming but ActiveX seems to be the source for many of the problems with IE and Windows security.
Why is it still used so much by commercial actors like Facebook, or not secured by MS?

Re:ActiveX = the IE culprit?

[ILuvRamen]

I'll break it down for you. An activeX is basically a program you download that any website can run on your computer. Yeah that kinda sums it up. If the activeX isn't 100% secure, a website can hack you with it. I usually use an activeX once if completely necessary then delete it instead of leaving it sit around.

Re:

[CastrTroy]

Yeah, but you can accomplish the same things with a Java applet or using flash. Why the need to use ActiveX which has been proven insecure over and over again, and only works under IE?

Re:

[Constantine XVI]

If memory serves, both Flash and Java are implemented in IE via ActiveX.

Re:

[grossvogel]

IIRC, XMLHttpResponse is implemented via ActiveX under IE 6. (Anybody know if IE 7 implements it as a native JS object?)

In some cases it's the fault of developers (or their bosses) who rely on IE-only technology, but ActiveX is sometimes the only way to get 'standard' behavior out of IE.

Re:

[Constantine XVI]

From http://en.wikipedia.org/wiki/XMLHttpRequest#Cross-browser_support [wikipedia.org]

Internet Explorer 7 added native support for the XMLHttpRequest object, but retains backward compatibility with the ActiveX implementation.

Re:

[piojo]

Yeah, but you can accomplish the same things with a Java applet or using flash.

Sometimes, ActiveX is used when intimate interaction with the user's computer is necessary. I have seen a consulting firm use ActiveX to start a VNC connection for support purposes. Telling the user to go to a URL and click "yes" is a lot easier than telling them to find and run an executable (that may not even be installed).

Re:

[cheater512]

TightVNC and others provide a Java applet for connecting to VNC servers.

Re:

[billcopc]

I'm pretty sure the parent was referring to a one-time-use VNC server, as would be used in a remote tech support scenario. Dell uses that sort of thing.

Re:ActiveX = the IE culprit?

[WD]

"ActiveX" itself is not necessarily the problem. ActiveX is a commonly used format for packaging native code in a way that it can be used by Internet Explorer. If that code contains a flaw, then Internet Explorer can be used as an attack vector for that buggy code. For example, if that code is written in C and it doesn't properly handle strings, it may be vulnerable to a buffer overflow that can reached by viewing a web page. That holds true whether that code is packaged as an ActiveX control or a Netscape-style plugin.

Plug-ins (including ActiveX) are dangerous. ActiveX is much more ubiquitous than Netscape-style plugins. For example, nearly every windows application comes with ActiveX or COM objects, but it's very rare for them to install Netscape-style plugins. Therefore, using Internet Explorer with ActiveX enabled for all sites on the internet (the default configuration) is dangerous because you're relying on all of these components to be written securely.

Secure your web browser [cert.org] and you'll be much better off.

Re:

[zootie]

Indeed. It is just an extension mechanism. The component themselves have to be marked as "safe for scripting", and newer versions of IE don't enable ActiveX in public zones by default.

A problem is that users have dialog fatigue and don't read nor undestand when they get the prompts. Then again, most would trust Yahoo/MySpace/Facebook anyway if they get the prompt.

IE7 does not disable ActiveX in public zones

[WD]

Your statement is incorrect. Newer versions of IE (IE7) does indeed have ActiveX enabled in the Internet zone. It does have a feature called ActiveX opt-in, which requires the user to accept a prompt before running controls installed by most stand-alone applications. However, ActiveX controls that are installed through IE (Such as the Myspace and Facebook controls mentioned in this article) are automatically opted-in during the install process. So IE7 would provide no additional protection in this case.

Re:

[tmalone]

I don't think it is just dialog fatigue; the problem is also that the user clearly wants what the dialog is promising to give them. When those dialogs come up because you clicked on a link, it's essentially saying, "Do you want this information you requested?" Of course the user is going to say yes. They wouldn't have clicked on the link otherwise. The problem is two fold: too many dialogs because too many reputable sources use these facilities; and users who just want the info they requested. Users have be

Re:

[SL Baur]

Hmmph. +5 insightful? You are an astroturfer.

You totally miss the point, as did the Microsoft middle managers who signed off on this. Running any code coming from a wire is unwise in the extreme. Running it without user intervention is worse.

ActiveX could work fine in a totally trusted environment, like inside an isolated company network. On the Internet it's Just Plain Stupid. It was accepted knowledge decades ago that one should just not run executable anythings (scripts or binaries) coming in over a

Re:

[LO0G]

Not quite.

ActiveX is the name for a technology that is used to load plugins (every single browser has a similar technology).

The plugins have vulnerabilities, and the bad guys are exploiting the vulnerabilities in the plugins. There's nothing about ActiveX involved except for the fact that the plugins are written for IE.

The exact same exploits could be written for Firefox or Safari or Opera, because they all contain support for the vulnerable plugins.

Windows Vista runs all browser plugins in a very locked d

Re:

[thePowerOfGrayskull]

ActiveX is the name for a technology that is used to load plugins (every single browser has a similar technology).

Actually, ActiveX is an interface which an application must implement. This is not specific to web browsers at all, as ActiveX can be used (and often are) in any Windows application.

Re:

[LO0G]

My answer was relatively simplified for the audience. I was just trying to get across the idea that ActiveX isn't an insecure technology per-se (which appears to be the general opinion on the internet), but instead a vehicle for deploying plugins, and it's the plugins that are insecure. As I mentiond, at least one of the vulnerabilities mentioned in TFA are applicable to Firefox (the vulnerability is in QT). The attackers are only targetting QT when it's hosted in IE, but according to Apple, QT is vulner

Re:

[thePowerOfGrayskull]

Fair 'nuff, I shall not be requiring you to turn in your geek license this day.

Re:

[flyingfsck]

Why? Microsoft has no economic incentive to fix their crapware and being strictly a commercial enterprise, they have no pride and cannot be shamed into fixing their crapware either.

Limited user anyone?

[Anonymous Coward]

I run as a limited user . I was attacked .
Instead of getting crap installed, an error in my security log about an Active X control not having required permissions to install
So I must ask, How many are vulnerable merely because they foolishly surf as Owner/ Administrator?
You might that this make no difference, but here, you would be wrong.

Re:

[calebt3]

I find it incredible how much you can't do as an XP limited account. My parent's WiFi link is defective, and the only way to get it back is to have it go through the 'Repair' process. Limited accounts aren't allowed to do this. Merely for curiosity's sake: can limited accounts in Vista do the Repair function?

Re:

[perlchild]

If you can do it in a limited account, and the repair function actually turns off the network, and on again, it's a ddos in the making...

Re:

[phantomcircuit]

If you can do it in a limited account, and the repair function actually turns off the network, and on again, it's a dos in the making...

DDoS == Distributed Denial of Service
DoS == Denial of Service

Fixed that for you.

Re:

[calebt3]

I can disable/enable networking in Ubuntu without using gksu.

Re:

[vtscott]

That seems like a lame reason to not allow that functionality. I mean, if you allow a limited account to visit websites, they could just keep clicking reload over and over again on the router configuration page. There's another possible DoS attack.

Re:Limited user anyone?

[DNS-and-BIND]

I find it incredible how much you can't do as an XP limited account.

That's kind of the idea there, buddy. Bringing network interfaces up and down is definitely an administrative task. If XP were a real operating system, it'd have some way to temporarily become administrator during a session. Even "run as Administrator" with the proper password doesn't work for tons of programs, QQ and Alibaba Trade Manager being the offenders I'm pissed off with currently.

Re:

[STrinity]

Merely for curiosity's sake: can limited accounts in Vista do the Repair function?

Vista doesn't distinguish between limited and administrator accounts without some major tweaking. By default all accounts are limited, but if you do anything that requires elevated privileges, the screen greys and a dialogue box appears asking if you want to perform the action as administrator. This is the dreaded UAC.

Re:

[Mr. Vage]

I tried to run my parents in limited user mode, but it only caused problems. You really can't do anything as a limited user. Vista has improved on this a lot with UAC. Users run as limited users, but if something requires administrative access they can temporarily raise the application's permissions (Cancel or Allow).

Re:

[flyingfsck]

How many? About 100% of home Windows users and 99% of business Windows users. Most people have no idea that Windows can be locked down and not the foggiest notion of how to do it, sine they have never heard of MS Technet and Common Criteria Certification.

Re:

[calebt3]

That's why we can get paid so much as a PC Technician.

Re:

[Anonymous Coward]

Moreover, they get pissed right the hell off when they try to go and do something and find "that goddamned security thing won't let me fuck up my computer"...

I've had any number of people bitch when they try to install their screen saver, or some other PoS bit of crapware doohickey their neice's best-friend got from an pseudo-anonymous myspace poster.

One of such user was my boss, who despised the notion of operating system security as being "crap that makes it hard (or impossible) to do whatever the hell yo

Re:

[Joe The Dragon]

Most of the people who use Myspace, Facebook also play games that need admin to run and some just error out when try to run them as limited user and that some has to do with there copy prevention systems, on line play systems that are used to prevent cheating, built in game auto updating and so on.

Apologies, but...

[gardyloo]

I apologize to any *individual* who may have been hit hard by these 'sploits. But if they're forcing better security on those sites, and hitting IE hard, I say Good For The "Criminals"!

Re:

[causality]

I apologize to any *individual* who may have been hit hard by these 'sploits.

I don't feel sorry for them in the slightest. It's not like IE/ActiveX's security track record is some big secret that would take a great deal of effort to find out about. People are voluntarily using a program with an unusually poor security history and are having security problems -- where is the surprise?

You could argue from the victim mentality and say "but they don't know any better", to which I would ask, do you think

Good reminder for the Mozilla extensions

[pembo13]

To check twice as hard for security flaws.

ActiveX is not the problem per se

[zootie]

ActiveX is a way to extend the browser, to make the web site better for -at least Windows- users (and overcome some of the limitations of good old fashioned HTML/HTTP). Truth is that even standards compliant web sites leave something to be desired when compared with native desktop applications. ActiveX gets the bum rap because it is the entry point (a generic API). The real culprits are third party programmers.

After 15+ years of Internet explosion, you'd expect that we would be doing better in security, and that we wouldn't miss desktop apps. There is a dire need for better web apps that blend better with the local system.

In fact, while many of us might look forward to Web 2.0 using Ajax/JSON et al, there is a bit of a growing movement in non-standards based environments: Flash and Silverlight are emerging as full fledged OS-like environments inside the browser. Instead of re-inventing the OS using the browser with an interpreted (slow) language (like Netscape, and Java -client- tried to do), you have Adobe and MS coming up with a graphics friendly and programming flexible alternatives within their own ActiveX controls (which are blazing fast because the core is in C++, and the content is pre-compiled). As much as Flash is maligned, I wouldn't be surprised if in 10 years it takes over the Internet, and the browser is little more than a tool to deliver flash content.

Re:

[zootie]

While movie player and ad-rotator are common uses for Flash, many site are using it for more than that. They're doing full fledged interactive environments within Flash - I remember seeing Flash based games as early as 1996 (and now they are pretty common). In my office, people don't play Solitaire, they play Wheel of Fortune, Backgammon and other Flash games...

For graphics designers, Flash programming comes as a natural extension (and a way to bypass programmers), and it can offer enhanced functionality th

Re:

[NatasRevol]

"And Flash is an ActiveX control..."

Not on my computer. Or the browser I use in Windows.

Re:

[ACMENEWSLLC]

Per various sources, Flash is on 98% of PC's connected to the Internet. So when I start to refresh my web apps on my companies site (about 8 years old now) what should I use? AJAX type code which may or may not work 6 years from now and I might have to update as vulnerabilities become know? My apps from 6 years ago have some AJAX type coding in them, but had to be backwards compatible with IE 4 and NS 3.0 so it's nothing like AJAX of today. Still, I've spent considerabile time updating libraries with se

Re:

[Winckle]

deafblind people?

Re:

[pembo13]

I really hope that never happens. Too many websites are in flash as it is. Darn you for wishing for more.

Re:

[ladybugfi]

ActiveX is a way to extend the browser.... ActiveX gets the bum rap because it is the entry point (a generic API). The real culprits are third party programmers.

I strongly disagree. ActiveX has a bad reputation for a reason: it has a very poor security model for its intended use.

Securitywise, Flash isn't as good as it could be. It seems that the security features have been a gradual add-on features over the years instead of being designed as an integral part of the system from day one. And that approach has never really worked well. For example, as far as I know, you can't digitally sign SWF files.

Re:

[DeftPunk79]

I agree with zoot. I also think other programs such as firefox are just as susceptible to attack. The bad guys go after IE and activeX because they are more widely used. If the user numbers were switched for IE and FF I think you would have just as bad a time, if not worse, with FF as with IE users now.