(LiveHacking.Com) — Microsoft’s Vulnerability Research team has posted details of two vulnerabilities, one in Google’s Picasa photo editing and sharing application that could potentially allow remote code execution, and one on Facebook.com that could lead to account compromise.
The problem in Picasa, which affects Picasa for Windows version 3.6 build 105.61 and earlier, exists in the way that Picasa handles certain specially crafted JPEG images. An attacker could exploit this vulnerability to cause Picasa to exit unexpectedly and execute arbitrary code. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft Vulnerability Research reported this issue to Google in private and as there is now a fix available it can disclose the details of the problem.
With Facebook, a vulnerability exists in the way that Facebook.com had previously implemented protection against clickjacking attacks. An attacker could exploit this vulnerability to circumvent Facebook privacy settings and expose potentially sensitive user information. An attacker who successfully exploited this vulnerability could take complete control of a user’s Facebook.com account and could perform any action on behalf of the user, such as read potentially sensitive data, change data, and delete contacts.
As with Google, Microsoft Vulnerability Research reported this issue to Facebook in private and it has now been fixed.