Friday, August 17, 2007

New zero-day Yahoo Messenger bug found


Researchers at McAfee have verified and reproduced a zero-day bug first reported by Chinese researchers pertaining to the Webcam functionality on Yahoo Messenger.

The bug was reproduced on the most recent version of Messenger as of today, which is V8.1.0.413.

Wrote McAfee researcher Wei Wang:

It seems like a classic heap overflow, which can be triggered when the victim accepts a webcam invite.

Yahoo’s security has been notified of the problem. According to a Yahoo’s spokesman in an e-mail to InformationWeek:

Since learning of this issue, we have been actively working towards a resolution and expect to have a fix shortly. Yahoo takes security seriously and consistently employs measures to help protect our users.

No exploit code for this new flaw has been published yet. It is noted that this vulnerability is different from another one that was patched in June.

For now, you should stop accepting Webcam invites from untrusted sources until a patch for this flaw has been released and installed. Additionally, McAfee also recommend that you block outgoing traffic on TCP port 5100.

No comments: