|Subject:||Recent Flaw with some ActiveX controls (Facebook, Yahoo) - how is it exploited|
|Date:||Mon, 11 Feb 2008|
I'm aware of the recently alerted flaw in the image uploder ActiveX
control used by some popular social networking sites. But I haven't
found technical details to explain where the risk actually lies...
Is it in the Uploader talking to a malicious download application or
is it the Uploader opening a malicious image file. Or is there a
different attack vector?
I don't suppose Facebook or MySpace would intentioanlly post a
malicous download element to the Uploader - although someone could
spoof one of these sites to get at an unsuspecting user.
Or if it is crafted image files that we are worried about then as long
as users stick to pictures which they know to be ok (such a photos
they've taken themselves) then surely the risk is quite low.
I'm guessing that the risk is related to the first mentioned above in
that a malicious site could invoke the ActiveX control and then pass
it crafted information- is that right?