Jump to content
xisto Community
Sign in to follow this  
iGuest

Yahoo! Messenger vulnerability

Recommended Posts

Secunia Research has discovered a vulnerability in Yahoo! Messenger, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to a combination of weak default directory permissions and the Audio Setup Wizard (asw.dll) invoking the "ping.exe" utility insecurely during the connection testing phase. This can be exploited to execute arbitrary code with the privileges of another user by placing a malicious "ping.exe" file in the application's "Messenger" directory.

Successful exploitation requires that a user runs the Audio Setup Wizard and that the application has been installed in a non-default location (not as a subdirectory to the "Program Files" directory).

The vulnerability has been confirmed in version 6.0.0.1750 for Windows. Other versions may also be affected.

Solution:
Update to version 6.0.0.1921 or later.
https://messenger.yahoo.com/

Provided and/or discovered by:
Carsten Eiram, Secunia Research.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.