Yahoo Messenger Flaw Being Exploited in the Wild
At issue is a buffer-overflow vulnerability in Yahoo Messengers Webcam ActiveX control. Attackers can exploit the issue to execute arbitrary code within the context of an application that uses the controltypically Internet Explorer, according to Symantecs DeepSight Alert Services.
eEye spotted proof-of-concept code last week and predicted that a malicious exploit would soon follow. Sure enough, DeepSight has spotted an active exploit in the wild at "at least one" site: n.88tw.net.
The exploit is put to work when an attacker crafts a malicious site designed to take advantage of the vulnerability. The attacker then lures victims to the site by sending the exploit code via e-mail or hosting it in a remotely accessible location, for example.
When victims visit the page, arbitrary code runs in the context of their browser. If successful, the attacker then gains remote access to control the target system.
Affected versions range from Yahoo Messenger 5.5.0 on up to 8.0.0 and those versions in between. Yahoo Messenger 8.1 isnt affected. Users should immediately upgrade to the version Yahoo put out to fix the problem late last week: Version 126.96.36.1991, posted at messenger.yahoo.com.
In lieu of installing the patch, DeepSight suggests these workarounds and mitigations:
- To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
- Deploy network intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
- To reduce the likelihood of successful attacks, never follow links provided by unknown or untrusted individuals.
- Implement multiple redundant layers of security. Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attackers ability to exploit this vulnerability to execute arbitrary code.
- Review and adjust according to policy any default configuration settings. To mitigate the possibility of an exploit through HTML e-mail, configure e-mail clients to render messages in plain text. This mitigation may adversely affect some functionality of e-mail clients.
- To prevent successful exploits, disable Active Scripting in Internet Explorer or set the kill bit on CLSID:9D39223E-AE8E-11D4-8FD3-00D0B7730277. For details on setting the kill bit for CLSIDs, consult Microsoft support document 240797.