Facebook, MySpace Hit by Unpatched Flaw

By Dave Nixon

Rendering social networking site users at risk, the exploit code affecting an unpatched defect in an image uploader used by both Facebook and MySpace is circulated publicly, according to security researchers.

Researcher Elazar Broad divulged on the Full Disclosure security mailing list, a vulnerability in the Aurigma Image Uploader, an application used by Facebook and MySpace. Utilization of the bug could permit an attacker to carry out malicious code on a user’s system.

Code taking advantage of the defect has been publicly released on the milw0rm.com website, making attacks imminent, researchers said.

The vulnerability is attributable to a boundary error in the ActiveX control Aurigma.ImageUploader.4.1 when managing strings assigned to the “Action” property, according to security firm Secunia.

This can be exploited to cause a buffer overflow by assigning an overly long string to the affected property, Secunia said.

Secunia said it had confirmed the flaw in ImageUploader4.ocx version 4.5.70.0, and assigned it a “highly critical” ranking. Previous versions are also likely to be affected, Secunia said.

Since no patch is available yet, researchers recommended users to set the kill-bit for the Aurigma ActiveX control.

The popularity of social networking sites has exploded in recent months and have been established as business tools in some quarters, causing security concerns.

In December, WorkLight released a tool designed to permit companies to supply employees with access to Facebook while making certain the social network is operated from behind secure corporate firewalls.

Earlier in 2007, Sophos found that Facebook users are too naive in publishing personal information, making them targets for identity theft.