Security Flaw Found in Yahoo Messenger

BigBlueBall News · #1 (**permalink**) 12-03-2003, 01:00 AM

Paul Roberts, IDG News Service - UPDATE

December 3, 2003

December 5, 2003 Update

Yahoo has released a patch. Read Yahoo Plugs Security Hole in Messenger for the details.

Security researchers are warning of a security hole in Yahoo’s Messenger that could allow attackers to run their own code on computers using the instant messaging program.

The buffer overrun vulnerability was discovered by researcher Tri Huynh in a file named "yauto.dll," which is an ActiveX component of Yahoo Messenger software versions up to 5.6.0.1347, according to a security alert released Wednesday by Secunia of Copenhagen, Denmark.

Yahoo did not immediately respond to requests for comment.

The company was notified via e-mail about the hole one month ago, but did not respond, Secunia said.

Yahoo Messenger allows users to instantaneously communicate with each other over the Internet using text messages. It also lets users send files or links to Web pages. Instant messaging applications such as Yahoo Messenger, Microsoft’s MSN Messenger, and America Online’s AOL Instant Messenger are increasingly used at companies to let workers communicate with each other over corporate LANs.

ActiveX Concerns

ActiveX is a Microsoft technology that allows software developers to create small, reusable bits of code, called "controls" that enable programs to share information over computer networks and the Internet.

Attackers could trigger a buffer overrun on machines running Yahoo Messenger by sending a long stream of data in the form of a Web page URL to a vulnerable function within yauto.dll, crashing the application or allowing the attacker to place his or her own malicious code on the machine, according to Secunia.

To launch an attack, hackers could set up a Web page, then lure Yahoo Messenger users into visiting the site and clicking on a link that triggers the buffer overrun and runs the attack code, Secunia said.

In buffer overflow attacks, hackers use flaws in a software program’s underlying code to overwrite areas of the computer’s memory, replacing legitimate computer instructions with bad data or other instructions.

Secunia rated the Messenger vulnerability "highly critical," saying that researchers tested the hole and successfully exploited it by downloading and running a Trojan horse program.

Yahoo Messenger users running vulnerable versions of the program were advised to remove yauto.dll from their computer hard drive. Users should also consider modifying their Web browser configuration to prevent ActiveX controls and Active Scripting from running, except on approved Web sites, Secunia said.

Links

Source: PC World

BigBlueBall Yahoo! Center

Discuss in the forums

Similar Topics
Topic	Topic Starter	Forum	Replies	Last Post
Yahoo! Messenger “Online Status” Privacy Issue	Chet	Yahoo! Messenger Support	11	05-30-2009 06:22 PM
Messenger Plus! 3 BETA Review!	DXtremz	Windows Live Messenger Support	44	09-14-2005 02:32 PM
Messenger Plus! 3 Feature List	BigBlueBall News	Windows Live Messenger News	0	05-21-2004 01:00 AM
Yahoo! Messenger Launches ′IMVironments′ With Next Generation of Yahoo! Messenger Service	BigBlueBall News	Yahoo! Messenger News	0	10-22-2001 01:00 AM

THE BASICS About us BigBlueBall Blog Contact us	NEWS & REFERENCE Instant Messaging Social Networks Mobile Tech View all categories	DISCUSSION FORUMS Instant Messaging Social Networks Mobile Tech Computer Support View all forums	COMMUNITY Fan us on Facebook Follow us on Twitter Bookmark us on Delicious Subscribe to our RSS feed BigBlueBall badges	CONTRIBUTE Advertise on BigBlueBall Write for us Report a site bug
	Copyright © 2000-2009 BigBlueBall · All rights reserved · Privacy Powered by vBulletin® Copyright ©2000 - 2009, Jelsoft Enterprises Ltd. · Search Engine Friendly URLs by vBSEO 3.2.0

Currently Active Users Viewing This Topic: 1 (0 members and 1 guests)