Yahoo Patches IM Security Hole

 
 
By Matthew Hicks  |  Posted 2003-12-04
 
 
 
Yahoo Inc. this week issued a security update for Yahoo Messenger after the report earlier this week of a buffer overflow vulnerability in the instant messaging client.

Yahoo said it learned of the security issue late Tuesday and issued the patch by Wednesday afternoon. Security researcher Tri Huynh discovered a vulnerability that, if exploited, could allow a malicious Web site to run code on a users computer, according to an advisory issued Wednesday by Danish security company Secunia.

The vulnerability stems from an error in the "yauto.dll" file, an ActiveX component of Messenger. The security hole affects Yahoo Messenger versions 5.6.0.1347 and earlier, the advisory said.

Secunia rated the vulnerability as "highly critical," but Yahoo said it knows of no actual exploits of the vulnerability. The company also said that only a small percentage of users would be affected because the exploit is linked to a wider vulnerability in Internet Explorer.

Only users that have chosen to change IEs security settings to the "low" level, rather than the default "medium" setting, or that are not running the most recent IE patches would be vulnerable, Yahoo said. An attacker then would need to direct a vulnerable user to view malicious HTML code in order exploit the hole.

Even after downloading the Yahoo Messenger fix, users who dont also change their security settings or run recent IE versions could be susceptible to other security vulnerabilities not related to Yahoo Messenger, .

"[Yahoo] encourages users to change their IE security setting back to the default level of medium and to upgrade to the most recent version of IE," spokeswoman Mary Osako said.

Yahoo isnt alone in having security vulnerabilities reported in its IM software. All the major IM networks have had periodic security holes—especially buffer overflows—exposed, said Dmitry Shapiro, CTO and founder of Akonix Systems Inc., an enterprise IM gateway vendor.

IM security issues are gaining more attention as employees access the top IM networks at work, posing a threat for companies that dont manage the updating of those IM clients or block malicious activity such as the sending Web links known to be virus-laden, he said.

"Even though networks do a great job of releasing the patches, the users do a terrible job of applying patches," Shapiro said. "Instant messaging is a ripe target for hackers."

Rocket Fuel