Lets face it the Internet is a dangerous place and with REALTORS spending more of their time on social networking sites such as MySpace and Facebook they are more likely to run into the various pests which exploit weaknesses inherent to those sites. To be fair to MySpace and Facebook it is not their applications that are vulnerable just the ActiveX controls they use and similar controls are being used on a number of sites including Yahoo.
However on MySpace and Facebook users often post custom applications or modify the pages with their own layouts and java code, features which make the sites fun and interactive but also increase the potential risks to visitors to these sites. Rather than recommending that users avoid these sites the Security gurus at SANS (SysAdmin, Audit, Network, Security) have created a tool which disables the ActiveX components that pose a risk. Setting the kill-bit for an ActiveX control is nothing new several spyware removal and repair tools including Spybot S&D, SpywareBlaster, and Adware do this as a preventative measure. It is also not that difficult to do yourself if you are a DIY kind of person and want to know more about setting ActiveX kill-bits simply follow the instructions on this microsoft kb article.
When you run the kill-bit tool it searches your system to determine if you are currently using or have installed any of the vulnerable ActiveX controls, it uses a unique number called a CLSID to determine this. If you have the vulnerable controls installed then the tool saves a copy of your state information (compatibility flag) for each of the controls and sets the compatibility mode to disabled. In the future if you want to enable those controls once again merely remove the check from next to the control and the state it had will be restored. If you never had it installed the entry will be removed from your system or if you had the control installed and enabled the tool will set the state back to that.
The vulnerable ActiveX Components inlcude:
- Aurigma - ImageUploader4: Link to Explanation | CLSID {6E5E167B-1566-4316-B27F-0DDAB3484CF7}
- Aurigma - ImageUploader5: Link to Explanation | CLSID {BA162249-F2C5-4851-8ADC-FC58CB424243}
- Facebook - Photo Uploader 4: Link to Explanation | CLSID {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}
- Yahoo! - Media Grid: Link to Explanation | CLSID {22FD7C0A-850C-4A53-9821-0B0915C96139}
- Yahoo! - Data Grid Link to Explanation | CLSID {5F810AFC-BB5F-4416-BE63-E01DD117BD6C2}
- MySpace - Uploader Link to Explanation | CLSID {48DD0448-9209-4F81-9F6D-D83562940134}
My personal suggestion is if you don’t have these controls installed but regularly visit those sites go ahead and disable the controls by using the tool. If the performance of MySpace or Facebook is affected then just reverse the changes by running the tool once more. However it is better to be safe, then have to deal with a nasty piece of Spyware such as virtumonde, smit-fraud, or clickspring.
Gui Version
http://handlers.sans.org/tliston/KillBitGui-Feb08.exe
CLI Version
http://handlers.sans.org/tliston/KillBitCLI-Feb08.exe
No comments yet.
Comments RSS TrackBack Identifier URI
Leave a comment
No Comments