Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

ActiveX Vulnerabilities - Facebook, MySpace and Yahoo

There are warnings for at least 6 Active controls that may experience buffer overflows or crashes and thus be subject to exploit developments   So far there are no known in-the-wild attacks and in using the ISC's GUI based tool (link at the bottom) I had no exposures on my current system.

ActiveX Vulnerabilities - Facebook, MySpace and Yahoo
http://www.eweek.com/c/a/Security/ActiveX-Under-Seige-Facebook-MySpace-Image-Uploaders-Vulnerable/
http://www.us-cert.gov/current/index.html#publicly_available_exploit_for_facebook
http://www.kb.cert.org/vuls/id/776931

Six key sites and Killbits for those sites
http://isc.sans.org/diary.html?storyid=3929
http://isc.sans.org/diary.html?storyid=3931

QUOTE: The US-CERT is urging Web surfers to immediately disable ActiveX controls from Internet Explorer to protect against a swath of publicly reported—and unpatched—software vulnerabilities.

The US-CERT (Computer Emergency Response Team) recommendation follows the release of exploit code for multiple zero-day flaws in image uploaders used by Facebook and MySpace and bugs in the ActiveX control that ships with the Yahoo Music Jukebox software.

According to Erik Kamerling, a vulnerability analyst at Symantec's DeepSight threat center, the availability of exploits for flaws in high-profile targets like Facebook and MySpace is cause for concern.

Although Symantec is unaware of in-the-wild exploitation of the ActiveX flaws, there's a feeling that attacks are inevitable. Admins are advised to set the kill bit for the following CLSIDs as soon as possible:

Aurigma: CLSID 6E5E167B-1566-4316-B27F-0DDAB3484CF7 ('ImageUploader4.ocx')
Aurigma: CLSID BA162249-F2C5-4851-8ADC-FC58CB424243 ('ImageUploader5')
Facebook: CLSID 5C6698D9-7BE4-4122-8EC5-291D84DBD4A0
Yahoo! MediaGrid: CLSID 22FD7C0A-850C-4A53-9821-0B0915C96139
Yahoo! DataGrid: CLSID 5F810AFC-BB5F-4416-BE63-E01DD117BD6C2

The GUI based tool is an EXCELLENT resource that checks for the 6 current vulnerabilities.  It will highlight whether these are present on your system.  If so, you can check any of these you desire to be made inactive until this issue is resolved. 

ISC GUI Tool can be downloaded from here:
http://handlers.sans.org/tliston/KillBitGui-Feb08.exe

ISC Command line
http://handlers.sans.org/tliston/KillBitCLI-Feb08.exe

Posted: Feb 05 2008, 04:19 PM by Harry Waldron | with 3 comment(s)

Comments

ActiveX Vulnerabilities - Facebook, MySpace and Yahoo said:

Pingback from  ActiveX Vulnerabilities - Facebook, MySpace and Yahoo

# February 5, 2008 11:34 AM

Iain House said:

Check the Datagrid CLSID - too many characters!

Symantec have it wrong on their website, and your one of MANY people who have copied it!

# February 5, 2008 12:05 PM

Iain House said:

The CLSID for Yahoo! Datagrid originally published by Symantec and ISC is incorrect and you have copied it here. Please check the original articles, both of which have now been corrected.

# February 5, 2008 5:22 PM