Exploitation of the Facebook ImageUploader Vulnerability
As seems to be the trend lately, anytime avulnerability is disclosed in an ActiveX control, it is only a shorttime before it is bundled into the Web attack toolkits. For thisFacebook vulnerability, it was less than a day from the vulnerabilitybeing disclosed on February 12th to it first showing up on ourhoneypots on February 13th.
So far, the exploits that have shown up are encoded versions of the public exploit, bundled with an exploit for Yahoo Jukebox and several other routinely exploitable vulnerabilities.
Oddly enough, this Facebook exploit kit is being served from aMySpace phishing site, though unsurprisingly, hosted on a numbered .cndomain. Detections for this attack will be as “Facebook Photo Uploader'ImageUploader4.1.ocx' FileMask Method ActiveX Buffer OverflowVulnerability” for NAV/NIS 2008 products. Since this attack toolkitincludes several other exploits, detection may also fall under theindividual exploits depending on the vulnerable products installed.
Other products will detect this attack as Downloader.Trojan.
About Security Response Blog
Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.
Filter by:
Recently on Twitter
- Strange Case of W32.Xpaj.B as Patient Zero http://t.co/8872Zu17 #virus23 hours 45 min ago
- A legitimate digitally signed file is misused in order to load #malware on to a computer: http://t.co/wZjNKKCh24 May 2012
- ZTE Score: Privilege of Escalation in a Nutshell http://t.co/Svj5T57F23 May 2012
- #Worm Posts on SNS Sites and Wipes out Rivals http://t.co/RWRIZdzU18 May 2012
- Beware #419 scams taking advantage of the #Facebook IPO: http://t.co/7TPOvR8w18 May 2012