As seems to be the trend lately, anytime a vulnerability is disclosed in an ActiveX control, it is only a short time before it is bundled into the Web attack toolkits. For this Facebook vulnerability, it was less than a day from the vulnerability being disclosed on February 12th to it first showing up on our honeypots on February 13th.

So far, the exploits that have shown up are encoded versions of the public exploit, bundled with an exploit for Yahoo Jukebox and several other routinely exploitable vulnerabilities.

Oddly enough, this Facebook exploit kit is being served from a MySpace phishing site, though unsurprisingly, hosted on a numbered .cn domain. Detections for this attack will be as “Facebook Photo Uploader 'ImageUploader4.1.ocx' FileMask Method ActiveX Buffer Overflow Vulnerability” for NAV/NIS 2008 products. Since this attack toolkit includes several other exploits, detection may also fall under the individual exploits depending on the vulnerable products installed.

Other products will detect this attack as Downloader.Trojan.