Serious flaws put Yahoo Messenger users in peril

Article

Serious flaws put Yahoo Messenger users in peril

Attackers could exploit two serious flaws in Yahoo Messenger to run malicious code on targeted machines, multiple security firms warned Wednesday.

Aliso Viejo, Calif.-based eEye Digital Security said in an advisory

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

that "multiple flaws exist within Yahoo Messenger which allow for remote execution of arbitrary code with minimal user interaction."

Yahoo Messenger flaws:
April: Yahoo fixes Messenger flaw: Attackers could exploit a flaw in Yahoo Messenger to hijack targeted machines, but a fix is available.

Companies take IM threats seriously: Wesabe is a brand new money management community, whose members share tips on everything from saving on organic produce to knocking down credit card debts. It is also among the companies saying it now takes threats to IM as seriously. 

Danish vulnerability clearinghouse Secunia took the description a few steps further in its advisory, saying the problems are a boundary error within the Yahoo Webcam Upload (ywcupl.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "send()" method; and a boundary error within the Yahoo Webcam Viewer (ywcvwr.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "receive()" method.

The flaws affect version 8.1.0.249, Secunia said. The firm recommended users mitigate the risk by setting the kill bit for the affected ActiveX controls.