Microsoft’s Vulnerability Research team is keeping itself busy finding bugs in other vendors’ products, with the two latest being a vulnerability in Google’s Picasa photo editing and sharing application and a bug in Facebook that could lead to the compromise of a victim’s account.
The bug in Picasa that the MVR team found could allow an attacker to gain complete control of a user’s machine if he could entice the victim into downloading a malicious JPEG file. It’s not the most complex exploitation scenario, and in the current age of people sharing, downloading, emailing and re-posting photos on a variety of platforms, it might not be too difficult for an attacker to accomplish.
“A vulnerability exists in the way that Picasa handles certain
specially crafted JPEG images. An attacker could exploit this
vulnerability to cause Picasa to exit unexpectedly and execute arbitrary
code. An attacker who successfully exploited this vulnerability could
gain the same user rights as the logged-on user. If a user is logged on
with administrative user rights, an attacker who successfully exploited
this vulnerability could take complete control of an affected system. An
attacker could then install programs; view, change, or delete data; or
create new accounts with full user rights,” Microsoft said in its advisory.
Picasa, which enables users to load, edit and share photos, has an auto-update feature, which should download the newest, fixed version of the app to users’ machines.
The establishment of the Microsoft Vulnerability Research team represents an interesting milepost on the company’s nearly decade-long journey from security pariah to major player in the security community. In years past, it would have been unthinkable for Microsoft to have a group of researchers working specifically on finding and reporting bugs in other companies’ products, but the company has hired a number of talented researchers in recent years and has spent more time working with third parties on security initiatives.
The vulnerability in Facebook involves a problem with the way that the site implemented its protection against clickjacking attacks. An attacker could use the vulnerability to gain full access to a victim’s account.
“A vulnerability exists in the way Facebook.com had previously
implemented protection against clickjacking attacks. An attacker could
exploit this vulnerability to circumvent Facebook privacy settings and
expose potentially sensitive user information. An attacker who
successfully exploited this vulnerability could take complete control of
a user’s Facebook.com account and could perform any action on behalf of
the user such as read potentially sensitive data, change data, and
delete contacts,” the MVR advisory said.
Facebook has fixed the problem.