Facebook, one of most popular social networking sites has been available to a critical XSS, allowing the hackers to install malicious scripts. Researchers who detected this vulnerability also posted a screenshoot demonstrating the problem. One of most recent incidents were serving malware and live exploit URLs, due to vulnerable web applications, introducing Zlob trojans in the form of fake video codecs, and was initially traced back to infrastructure provided by the Russian Business Network. The security folks at Facebook have been notified and as it seems the Facebook team responded very quickly and fixed the issue immediately!

Facebook and Myspace users are reminded to be cautious when using plugins for their services. As Symantec reports Image Uploader is still vulnerable to ActiveX control hacks, especially in 4.5.57.1 version where hackers can exploit it with a multi-attack kit. If you are using Aurigma Image Uploader to upload photos to your profiles be aware about possible threats and problems you might encounter. Even that those bugs were patched couple months ago hackers again found the way to hijack the software and damage the users.

Symantec reported about six buffer-overflow vulnerabilities that affect a number of widely distributed ActiveX controls. These issues can be used to execute code or crash the vulnerable applications. So far following applications are vulnerable: Aurigma ImageUploader4 and ImageUploader5, Yahoo! MediaGrid and Yahoo! DataGrid. Users are advised to be aware of those Active X vulnerabilities and safe browsing.

Security researcher Elazar Broad found new vulnerability in Facebook’s Aurigma ImageUploader control. The control is vulnerable to a stack-based buffer overflow in the ExtractExif and ExtractIptc properties. The controls, distributed by Aurigma Imaging Technology, include: FaceBook PhotoUploader 4.5.57.0, Aurigma ImageUploader4 4.6.17.0, Aurigma ImageUploader4 4.5.70.0, Aurigma ImageUploader4 4.5.126.0 and Aurigma ImageUploader5 5.0.10.0. Only FaceBook PhotoUploader 4.5.57.1 is not vulnerable so we recommend immediate upgrade. Also you can disable the uploader tools or disable ActiveX components.

Online hackers are using hacked Myspace profiles to spread links to their malicious software. Those trojan horse is disguising as Microsoft update. Myspace visitors get a popup window advising them to download the latest version of Microsoft’s Windows Malicious Software Removal Tool. This software is distributed by Microsoft to help Windows users rid their systems of malware. If the user clicks anywhere on this image, his computer will then begin to download the Trojan program. The Trojan, detected by McAfee as TFactory, is a already known code that has been used by criminals for well over a year and hackers were able to launch this attack because they either discovered a flaw in the MySpace code or found a way of taking over user accounts. Myspace users should take care if see such pop up screen and avoid clicking on information picture.

With the growing popularity of social networking sites it was question of time when will hackers find the way to spread their nastiness to all. As FortiGuard reports a Facebook widget called “Secret Crush” that installs adware on users machine, and a Facebook widget that force you to install the Zango adware/spyware. Also, Sunbelt Software and others reported MySpace banners that deliver malware. Meanwhile, these social networking sites feature a nice haul of personal data. Social networking sites are ripe for malicious attacks and it’s likely we’re going to hear a lot more about them in 2008.