Elazar recently released a buffer overflow proof of concept in Aurigma’s ImageUploader ActiveX plugin.

This ActiveX control is used by Facebook and I have seen it mentioned that MySpace is affected too. The vulnerability is only present for Internet Explorer users.

This vulnerability will allow an attacker to execute commands on your computer via your browser.

This has massive worm potential because no auto-update facility is available with ActiveX controls. Aurigma may be working on a fix, but it will be a long time before all users have upgraded. Furthermore, its ironic this vulnerability has been released now. BlogSec were a week or two away from releasing a similar advisory. As time permits we’ll look into this further, but in short, I believe their are a number of these vulnerabilities still waiting to be found in the Aurigma service.

To remove the risk: Go to "D:\WINDOWS\Downloaded Program Files" you’ll see all your currently installed Internet Explorer ActiveX controls. You are looking for "ImageUploader4". If it exists, right click and uninstall it.

Next time you go to upload Photos on Facebook, your browser will prompt you to reinstall it, this time installing the latest version.

Social network services such as Facebook and MySpace have a huge responsibility to their users. A similar vulnerability has been discovered before. This tells me that the vendor may only be patching the symptom rather then targetting the problem.

It really concerns me when services like Facebook with millions of users, provide and request that their users download and install software that in my opinion has not been security-tested or audited.

More info is available from Larry Lignan’s post on ZDNET here.