McAfee was the first to get hold of the news and the results of its tests were posted on the company’s Avert Labs blog:
“[…]we got a chance to dig a bit deeper into this and were able to reproduce the vulnerability on Yahoo! Messenger version 126.96.36.1993 based on the information provided in the forum. It seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite. […] We’ve been able to reach Yahoo! security team and have informed them about this issue.”
The company advises users not to accept webcam invites from untrusted sources until a patch is released. Also, McAfee adds that would be a good move to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability
Yahoo’s previous Messenger bug issue dates from June, when eEye Digital Security discovered two critical vulnerabilities in ywcupl.dll (version 188.8.131.52) and ywcvwr.dll (version 184.108.40.206), both of them Webcam ActiveX components, included by default in all releases of Yahoo! Messenger 8.x. The June exploit took advantage of buffer overflow issues within the Webcam ActiveX component.