Yahoo Messenger Vulnerabilities Patched

A new version of Yahoo's popular instant messaging application is released to fix a pair of code execution security flaws.

Yahoo Inc. has released a new version of its instant messaging application to fix a pair of security vulnerabilities that could put users at risk of code execution attacks.

The media firm, based in Sunnyvale, Calif., urged Yahoo Messenger users to upgrade to Version or later to protect against malicious hacking attacks. Secure versions of the client can be downloaded here.

"Under a very specific set of circumstances, an executable file could be unknowingly launched in Yahoo! Messenger. As a result, users could be vulnerable to running a malicious program on their computer," the company said in a security advisory.

"While a number of conditions must be met before being exposed to the security issues, users can be vulnerable to running malicious code on their computer," the statement added.

Independent security research outfit Secunia, the company credited with finding and reporting the flaws, said the bug exists because files with long file names are not displayed correctly in the file transfer dialogs. This can be exploited to dupe users into accepting and potentially executing malicious files.

Successful exploitation requires that the option "Hide extension for known file types" is enabled in Windows default setting, Secunia explained.

A second Yahoo Messenger vulnerability is caused due to a combination of weak default directory permissions and the Audio Setup Wizard (asw.dll) invoking the "ping.exe" utility insecurely during the connection testing phase.

Secunia said this flaw could be exploited to execute arbitrary code with the privileges of another user by placing a malicious "ping.exe" file in the applications "Messenger" directory.

"Successful exploitation requires that a user runs the Audio Setup Wizard and that the application has been installed in a non-default location (not as a subdirectory to the "Program Files" directory)," Secunia added.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.