Security flaws found in AOL, Yahoo IM programs

By Bill Brenner, Senior News Writer 20 Sep 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Attackers could exploit vulnerabilities in popular instant messaging programs from AOL and Yahoo to upload malicious files on targeted computers, several security firms warned Wednesday.

Danish vulnerability clearinghouse Secunia warned in its SA26786 advisory that attackers could exploit a flaw in AOL Instant Messenger to execute arbitrary script code.

"Input passed to the notification window is not properly sanitized before being displayed to the user," Secunia said. "This can be exploited to execute a limited amount of arbitrary script code in the Local Zone (My Computer) context by sending a specially crafted message to another user."

Secure IM: Quiz: Secure instant messaging: A five-question multiple choice quiz to test your understanding of the content presented in the Secure instant messaging lesson of SearchSecurity.com's Messaging Security School. Secure instant messaging in the enterprise: Instant messaging can be a conduit through which viruses come in to and sensitive data goes out of the corporate network. Face-off: Instant messaging in the enterprise: Is instant messaging at work a matter of pure convenience, or pure danger?

Successful exploitation requires that the target user is chatting with a different user so that the notification window is shown, and that the attacker is in the buddy list of the target user or the target user accepts the IM message from the attacker, Secunia noted. The flaw affects version 6.1.41.2 of the program, and other versions may be affected as well.

Until AOL fixes the problem, Secunia recommends users protect themselves by disabling the "New IMs arrive" option in the notifications settings and adding only trusted users to the buddy list.

Meanwhile, Cupertino, Calif.-based antivirus giant Symantec Corp. warned customers of its DeepSight threat management service that Yahoo Messenger is prone to an arbitrary file-upload vulnerability.

An ActiveX control in the program fails to adequately sanitize user-supplied input, allowing attackers to upload malicious files to an arbitrary location on a victim's computer, with the permissions of the application using the ActiveX control (typically Internet Explorer), Symantec said. Yahoo Messenger 8.1.0.421 is vulnerable and other versions may be affected as well.

As a workaround, Symantec suggested users disable active scripting in Internet Explorer or set the kill bit on CLSID:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F.

Tags: IM Security Issues, Risks and Tools,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IM Security Issues, Risks and Tools What are effective ways to stop instant messaging (IM) spam? Secure messaging complications result in limited protection Is it possible to ban chat programs on an enterprise LAN? How to lock down instant messaging in the enterprise AOL closes AIM attack vector, but risks remain Researcher says AIM still vulnerable, AOL insists it's fixed Serious security flaw in AOL Instant Messenger Flaw found in MSN Messenger AOL, Yahoo, Trillian IM applications under threat Security vendor Postini acquired by Google

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greynet  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary