Yahoo Messenger Flaw Being Exploited in the Wild
Hackers are able to exploit a buffer-overflow vulnerability in Yahoo Messenger's Webcam ActiveX control, typically through Internet Explorer.A high-risk Yahoo Messenger vulnerability is being exploited in the wild, jacking up the criticality of applying a fix to avoid system hijacking. At issue is a buffer-overflow vulnerability in Yahoo Messengers Webcam ActiveX control. Attackers can exploit the issue to execute arbitrary code within the context of an application that uses the controltypically Internet Explorer, according to Symantecs DeepSight Alert Services. eEye spotted proof-of-concept code last week and predicted that a malicious exploit would soon follow. Sure enough, DeepSight has spotted an active exploit in the wild at "at least one" site: n.88tw.net.
The exploit is put to work when an attacker crafts a malicious site designed to take advantage of the vulnerability. The attacker then lures victims to the site by sending the exploit code via e-mail or hosting it in a remotely accessible location, for example.
- To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
- Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
- To reduce the likelihood of successful attacks, never follow links provided by unknown or untrusted individuals.
- Implement multiple redundant layers of security. Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attackers ability to exploit this vulnerability to execute arbitrary code.
- Review and adjust according to policy any default configuration settings. To mitigate the possibility of an exploit through HTML e-mail, configure e-mail clients to render messages in plain text. This mitigation may adversely affect some functionality of e-mail clients.
- To prevent successful exploits, disable Active Scripting in Internet Explorer or set the kill bit on CLSID:9D39223E-AE8E-11D4-8FD3-00D0B7730277. For details on setting the kill bit for CLSIDs, consult Microsoft support document 240797.