The Yahoo! Messenger Zero-day For The Month Of August

[tansqrx 0]

Yahoo! Messenger is once again in the news for all the wrong reasons. This time it is a heap overflow in the webcam component. The news was apparently first exposed my McAfee in a blog post at http://www.mcafee.com/us/threat-center.aspx. A second post at http://www.mcafee.com/us/threat-center.aspx goes into more detail explaining that you shouldnât accept unknown webcam invites and to possibly firewall port 5100. Security Focus has also issued an alert at http://www.securityfocus.com/bid/25330/info but they only classify is as a remote denial of service attack, far from the remote code execution heralded by McAfee. Security Focus reports that exploit code can be found at http://forums.xisto.com/no_longer_exists/.

 

When I hear that a new exploit may be on the market for Messenger the first thing I do is head over to Google News and see what the top Messenger stories are. For some reason I think this particular exploit may be getting the attention of a more generalized audience. Compared to the June 2007 exploit, the news reports appear to be more numerous and written in a more ominous tone. The thing that really caught my attention was the fact that more main stream media outlets are picking up on this story such as ABC (http://abcnews.go.com/Technology/PCWorld/story?id=3482490). Although this particular Yahoo! Messenger attack may not be any worse than the June exploit, Yahoo! may have a bigger public relations mess on their hands.

[tansqrx 0]

Security Fix 8.1.0.416On the 16th of August I reported the latest Yahoo! Messenger exploit that was leaked. At the time not much information was given about the exploit but since then I have a little bit more. The exploit was apparently due to a buffer overflow in the JPEG2000 (https://en.wikipedia.org/wiki/JPEG_2000) CODEC. Yahoo! has now announced that the exploit has been patched in its latest release, 8.1.0.416. The patch should be automatically pushed out to users.