As seems to be the trend lately, anytime avulnerability is disclosed in an ActiveX control, it is only a shorttime before it is bundled into the Web attack toolkits. For thisFacebook vulnerability, it was less than a day from the vulnerabilitybeing disclosed on February 12th to it first showing up on ourhoneypots on February 13th.
So far, the exploits that have shown up are encoded versions of the public exploit, bundled with an exploit for Yahoo Jukebox and several other routinely exploitable vulnerabilities.
Oddly enough, this Facebook exploit kit is being served from aMySpace phishing site, though unsurprisingly, hosted on a numbered .cndomain. Detections for this attack will be as “Facebook Photo Uploader'ImageUploader4.1.ocx' FileMask Method ActiveX Buffer OverflowVulnerability” for NAV/NIS 2008 products. Since this attack toolkitincludes several other exploits, detection may also fall under theindividual exploits depending on the vulnerable products installed.
Other products will detect this attack as Downloader.Trojan.