Researchers at eEye Digital Security are reporting multiple vulnerabilities in Yahoo Messenger they say hackers can use to remotely execute code.
Yahoo spokesperson Terrell Karlsten confirmed the company is looking into a buffer overflow issue in an Active X control.
"Upon learning of the issue, we began working on a fix," she told eWEEK. She declined further comment until she had more details.
The flaws, given a threat level rating of "high" by the company, were reported to Yahoo June 5 and are not known to have been exploited in the wild. Version 8.x of the companys instant messaging (IM) client is at risk, the company said.
Marc Maiffret, chief technology officer of Aliso Viejo, Calif.–based eEye, said the company would not release any technical details about the vulnerabilities because the security holes remain unplugged. However, an advisory from Denmark-based security research firm Secunia provided more information. According to Secunia officials, a boundary error within the Yahoo Webcam Upload (ywcupl.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Send()" method.
Another boundary error, within the Yahoo Webcam Viewer (ywcvwr.dll) ActiveX control, can be used to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Receive()" method.
Maiffret noted many people are not as careful over IM as they are on e-mail, and that IM attacks can dodge a corporations firewall at the perimeter.
"Definitely on IM, people are more trusting," he said.
A May study by Akonix Systems in San Diego, a provider of instant messaging security and compliance products, uncovered 170 IM threats—an increase of 73 percent when compared to the number the company found between January and May of 2006.
"Todays Yahoo vulnerability is further evidence that IM, like e-mail or Web, has established itself as a de facto legitimate business communications medium and as a result has become a threat vector," said Dan Nadir, vice president of product strategy at ScanSafe. "If companies arent addressing IM in their security architecture, theyre leaving a key communication channel unnecessarily exposed to security, productivity, legal and compliance risks."
Nadir urged businesses to establish a clear IM-acceptable use policy, backed up with an IM security tool that meets the corporations needs.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Research Assistant
