Free tool blocks Facebook, MySpace, and Yahoo ActiveX vulnerabilities
February 8th, 2008 by Shanmuga
"A researcher over at the Internet Storm Center has created a powerful GUI that will set the kill-bits on vulnerable ActiveX controls used in Facebook, Myspace, and Yahoo apps. These popular apps came under attack on Monday after researchers Elazar Broad and Krystian Kloskowski disclosed their findings to a online security newsgroup.
Read the rest of this entry »
If you enjoyed this post, make sure you subscribe to my RSS feed!
Category: Software, Vulnerabilities | No Comments »
"Bugs in the ActiveX controls on popular social networking sites Facebook and MySpace can be used by hackers to snatch control of Windows PCs, security experts said today. Initially made public by researcher Elazar Broad on the Full Disclosure security mailing list, the vulnerabilities are in a pair of ActiveX controls that Facebook and MySpace provide to users for uploading images to their pages via Microsoft’s Internet Explorer (IE) browser.
"Mozilla’s security chief Window Snyder has confirmed a proof of concept information leak flaw in Firefox–even fully patched versions. Snyder confirmed the issue in a blog post. The proof of concept vulnerability was highlighted by researcher Gerry Eisenhaur on Jan. 19. In a nutshell, Firefox leaks information that can allow an attacker to load any javascript file on a machine.
"…Microsoft Excel files are being used to exploit a zero-day (previously unknown/unpatched) vulnerability and plant keystroke loggers on select (.gov?) networks…bugs in Microsoft Office applications emerged over the last year as standard weapons for criminals conducting corporate espionage and computer attacks against military targets. Last summer, Microsoft’s Office team struggled to keep pace with flaw discoveries and, after a brief lull, it looks like we’ll see much of the same this year.
"Luigi Auriemma, a 27-year-old Italian researcher who broke the news of the flaw on Thursday, said that the most recent version of QuickTime is prone to a buffer overflow that, if successfully exploited, gives the attacker free rein over a user’s computer. He posted information and proof-of-concept code on security site, milw0rm, his own website and multiple mailing lists.
"Microsoft has fixed a critical flaw in the Windows operating system that could be used by criminals to create a self-copying computer worm attack. The software vendor released its first set of patches for 2008 on Tuesday, fixing a pair of networking flaws in the Windows kernel. Microsoft also released a second update for a less-serious Windows flaw that would allow attackers to steal passwords or run Windows software with elevated privileges.
"Security experts are warning users to be vigilant after the disclosure of a new security vulnerability in RealPlayer. The flaw could allow an attacker to remotely execute code on a victim’s machine.
"Israeli security researcher Aviv Raff has issued a warning for a fairly serious browser vulnerability that exposes Firefox users to identity theft attacks. Raff, a well-respected hacker who regularly reports security problems in software products, discovered a way to use a browser bug to lure Firefox users into entering login credentials into a maliciously rigged dialog box.
"The Security Vulnerability Research and Defense blog, introduced Thursday, provides in-depth technical information and ways security professionals can protect an organization from vulnerabilities. The blog will be updated the second Tuesday of every month, called "Patch Tuesday," which is when Microsoft releases security updates for Windows and other software.
