Yahoo Messenger Flaw Being Exploited in the Wild

By Lisa Vaas  |  Posted 2007-06-11 Print this article Print

Hackers are able to exploit a buffer-overflow vulnerability in Yahoo Messenger's Webcam ActiveX control, typically through Internet Explorer.

A high-risk Yahoo Messenger vulnerability is being exploited in the wild, jacking up the criticality of applying a fix to avoid system hijacking. At issue is a buffer-overflow vulnerability in Yahoo Messengers Webcam ActiveX control. Attackers can exploit the issue to execute arbitrary code within the context of an application that uses the control—typically Internet Explorer, according to Symantecs DeepSight Alert Services. eEye spotted proof-of-concept code last week and predicted that a malicious exploit would soon follow. Sure enough, DeepSight has spotted an active exploit in the wild at "at least one" site:
The exploit is put to work when an attacker crafts a malicious site designed to take advantage of the vulnerability. The attacker then lures victims to the site by sending the exploit code via e-mail or hosting it in a remotely accessible location, for example.
When victims visit the page, arbitrary code runs in the context of their browser. If successful, the attacker then gains remote access to control the target system. Affected versions range from Yahoo Messenger 5.5.0 on up to 8.0.0 and those versions in between. Yahoo Messenger 8.1 isnt affected. Users should immediately upgrade to the version Yahoo put out to fix the problem late last week: Version, posted at eEye Digital Security found the flaw last week; its original advisory is here. In lieu of installing the patch, DeepSight suggests these workarounds and mitigations:
  • To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
  • Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
  • To reduce the likelihood of successful attacks, never follow links provided by unknown or untrusted individuals.
  • Implement multiple redundant layers of security. Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attackers ability to exploit this vulnerability to execute arbitrary code.
  • Review and adjust according to policy any default configuration settings. To mitigate the possibility of an exploit through HTML e-mail, configure e-mail clients to render messages in plain text. This mitigation may adversely affect some functionality of e-mail clients.
  • To prevent successful exploits, disable Active Scripting in Internet Explorer or set the kill bit on CLSID:9D39223E-AE8E-11D4-8FD3-00D0B7730277. For details on setting the kill bit for CLSIDs, consult Microsoft support document 240797.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel