New Yahoo Messenger Flaw Unveiled
A new Yahoo Messenger vulnerability has been discovered. However, a few common sense steps should be more than enough to keep users safe until a patch will be released. The flaw affect both Yahoo Messenger 8.0 and 8.1 (Windows versions).
August 22, 2007
McAfee was the first to get hold of the news and the results of its tests were posted on the company's Avert Labs blog:
“[...]we got a chance to dig a bit deeper into this and were able to reproduce the vulnerability on Yahoo! Messenger version 184.108.40.2063 based on the information provided in the forum. It seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite. [...] We’ve been able to reach Yahoo! security team and have informed them about this issue.”
The company advises users not to accept webcam invites from untrusted sources until a patch is released. Also, McAfee adds that would be a good move to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability
Yahoo's previous Messenger bug issue dates from June, when eEye Digital Security discovered two critical vulnerabilities in ywcupl.dll (version 220.127.116.11) and ywcvwr.dll (version 18.104.22.168), both of them Webcam ActiveX components, included by default in all releases of Yahoo! Messenger 8.x. The June exploit took advantage of buffer overflow issues within the Webcam ActiveX component.