Yahoo fixes messenger flaws

By SearchSecurity.com Staff 11 Jun 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The latest version of Yahoo Messenger fixes serious flaws attackers could exploit to run malicious code on targeted machines. The update comes as security experts track increased instances of exploit code in the wild.

The Bethesda, Md.-based SANS Internet Storm Center (ISC) warned of additional Yahoo exploits on its Web site Sunday. ISC handler Bojan Zdrnja wrote on the site that Yahoo Messenger users should upgrade as soon as possible. "Alternatively," he said, "you can set the kill bits for the affected ActiveX controls."

Yahoo Messenger: Serious flaws put Yahoo Messenger users in peril: Attackers could exploit two serious flaws in Yahoo Messenger to run malicious code on targeted machines, vulnerability trackers warned Wednesday.

The flaws first came to light last week, when Aliso Viejo, Calif.-based eEye Digital Security released an advisory about "multiple flaws within Yahoo Messenger which allow for remote execution of arbitrary code with minimal user interaction."

Danish vulnerability clearinghouse Secunia took the description a few steps further in its advisory, saying the problems are a boundary error within the Yahoo Webcam Upload (ywcupl.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "send()" method; and a boundary error within the Yahoo Webcam Viewer (ywcvwr.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "receive()" method.

The flaws affect version 8.1.0.249, Secunia said. The firm recommended users mitigate the risk by setting the kill bit for the affected ActiveX controls or, better yet, installing the updated version of Yahoo Messenger.

Tags: IM Security Issues, Risks and Tools,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IM Security Issues, Risks and Tools What are effective ways to stop instant messaging (IM) spam? Secure messaging complications result in limited protection Is it possible to ban chat programs on an enterprise LAN? How to lock down instant messaging in the enterprise AOL closes AIM attack vector, but risks remain Researcher says AIM still vulnerable, AOL insists it's fixed Serious security flaw in AOL Instant Messenger Security flaws found in AOL, Yahoo IM programs Flaw found in MSN Messenger AOL, Yahoo, Trillian IM applications under threat

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greynet  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary