News Stay informed about the latest enterprise technology news and product updates.

Security flaws in Yahoo Messenger, Cisco VPN and Windows

There are a few notable security flaws to report on this morning in Yahoo Messenger, Cisco’s VPN Client and Windows. Here’s a roundup:

Yahoo Messenger

According to Wei Wang from McAfee Avert Labs, researchers from his operation were able to confirm a flaw in Yahoo Messenger attackers could exploit to compromise a Windows PC. “It seems like a classic heap overflow which can be triggered when the victim accepts a Web cam invite,” Wang wrote in the McAfee Avert Labs blog. He added that the Yahoo security team has been notified, and that there are steps users can take to protect themselves until a fix is developed.

“We recommend the following to users using Yahoo Messenger Web cam: Don’t accept Web cam invites from untrusted sources [and] it’s advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability,” Wang wrote.

Cisco VPN Client

Cisco has released security advisory cisco-sa-20070815-vpnclient to address two flaws attackers could exploit in the Cisco VPN Client for Microsoft Windows to gain elevated user privileges.

The first problem is an error when using a VPN profile configured for Microsoft dial-up networking to launch a dial-up networking dialog box. Attackers could exploit this to gain system privileges by enabling the Start Before Logon (SBL) feature and configuring a VPN profile. The second problem involves insecure default file permissions being set on the “cvpnd.exe” file, which attackers could exploit to replace the affected file with a malicious binary and gain system privileges.

Bad timing for Windows admins

As you can see, both issues are a problem for IT administrators in Windows-based environments. The timing is particularly bad for them since this is also the week where everyone is trying to deploy the latest security updates from Microsoft. Tuesday, the software giant released nine security updates for flaws in Internet Explorer, Excel and other programs within the Windows OS.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.