McAfee Avert Labs has uncovered a new zero-day in Yahoo Messenger Webcam and are warning people not to accept invites from people they dont trust until a patch is out.
Avert Labs is calling this a “classic heap overflow” that can be triggered when a victim accepts a webcam invitation. The issue was first discovered when it was reported on security forums in China.
Avert Labs notes in a blog posting that this problem is not the same as the one Yahoo patched in June—that earlier vulnerability had to do with a buffer overflow in Yahoo Webcam ActiveX controls.
Click here to read more about a Yahoo Messenger flaw in the wild.
Besides eschewing invites from strangers, Avert Labs is also advising Messenger users to block outgoing traffic on TCP port 5100 until Yahoo patches the hole. McAfee has added signatures to its NIPS IntruShield to protect its customers who use Messenger.
Avert Labs Karthik Raman said that as of his Aug. 14 posting, no exploit code is out yet for this vulnerability.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.