New Zero-Day Flaw for Yahoo Messenger

Discussion in 'DSL & Info Tech News' started by dyoddyowel, Aug 24, 2007.


  1. dyoddyowel

    dyoddyowel Member




    New Zero-Day Flaw for Yahoo Messenger

    McAfee said Wednesday that it was able to confirm an earlier reported zero-day flaw in Yahoo Messenger, which could put users at risk of a code-execution attack.


    According to a post on the company's Avert Labs web log, the flaw can be exploited when the victim accepts an invite for a webcam chat. McAfee said that it had informed Yahoo of the issue, which was not available for comment.

    The heap overflow error was reproduced in McAfee labs using Yahoo Messenger version 8.1.0.413 based on information found in a Chinese security forum. This flaw is said to be different from another webcam flaw that was patched by Yahoo in June.

    That exploit took advantage of buffer overflow issues within the Webcam ActiveX component, while the other causes a buffer overflow in the ywcvwr.dll viewer. The issues affect both Yahoo Messenger 8.0 and 8.1 running on Windows.

    Until Yahoo, patches the issue, McAfee recommended several steps for users to take in the meantime. "Don't accept webcam invites from untrusted sources until a patch for this is released," Wei Wang said. "It's advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability."

    By Ed Oswald, BetaNews
    August 16, 2007, 1:11 PM
    http://www.betanews.com/article/New_Zer ... 1187284312
     
  2. dyoddyowel

    dyoddyowel Member




    Security Updates
    Yahoo! Webcam
    August 21, 2007


    Do I need to update Yahoo! Messenger to the new version?
    Yes, if you are using a version of Yahoo! Messenger obtained before August 21, 2007.

    How do I get the Security Update?
    You can download the latest version of Yahoo! Messenger from http://messenger.yahoo.com/download.php. Select the typical install option during the install process.

    What is the security issue?
    Yahoo! recently learned of two security issues in the webcam function. They are commonly referred to as denial-of-service and buffer overflow. The Yahoo! Messenger client downloaded before August 21, 2007 is vulnerable to these issues.

    What is the potential impact?
    A denial-of-service attack (also known as DoS attack) is an attack on a computer system that causes a loss of service to users. For this specific security issue, the Yahoo! Messenger exits unexpectedly after accepting a webcam invitation from a malicious attacker.

    Some impacts of a buffer overflow might include the introduction of executable code, being involuntarily logged out of a Chat and/or Instant Messaging session, and the crash of an application such as Yahoo! Messenger. For this specific security issue, these impacts could only be possible if an attacker is successful in prompting the Messenger user to accept a webcam invitation.

    Who is affected?
    Yahoo! Messenger client users who accept a webcam invitation controlled by a malicious attacker. If your computer has installed Yahoo! Messenger before August 21, 2007, you should install the update.

    Why do I have to install the update?
    Installing the update helps protect against exploits of this issue that may be developed.

    How long will it take?
    The update should take no more than a couple minutes, although the exact time depends on the speed of your Internet connection.

    What if I don't install the update?
    Over the next several weeks, users worldwide will be prompted to update to a new version of the Yahoo! Messenger client upon signing into the service. If you choose not to update and you have not updated via this page or at http://messenger.yahoo.com, the vulnerability will still exist.

    I'm a technical user. What is the exact version of the DLL that contains the fix?
    There are two affected DLLs. The first DLL is kdv_v32M.dll and the version is 3.2.0.2 The second DLL is ywcvwr.dll and the version is 2.0.1.9.

    http://messenger.yahoo.com/security_upd ... ?id=082107
     
  3. dyoddyowel

    dyoddyowel Member




    i should have posted this earlier but since the site is having problems i postponed it...

    update your YM now if you use one...
     
  4. bhovoi

    bhovoi Member




    thanx for the info dyod
     
  5. KennethM

    KennethM Guest




    Salamat sa update. :D
     
  6. dyoddyowel

    dyoddyowel Member




    wag nyo muna update... invite ko pa kyo sa webcam eh... hehehe
     
  7. KennethM

    KennethM Guest




    Hehehe... :shock:
     
  8. vanix_09

    vanix_09 Member




    Thanks for the information.
     
  9. fishbone

    fishbone Member




    salamat dito. useful to lalo na sa mga internet cafe owners/operators.
     
                                 

Share This Page