On The Insider: James Van Der Beek Files for Divorce
BNET Business Network:
BNET
TechRepublic
ZDNet

June 7th, 2007

Exploits released for nasty Yahoo Webcam ActiveX flaws

Posted by Ryan Naraine @ 12:01 pm

Categories: Botnets, Browsers, Data theft, Exploit code, Hackers, Microsoft, Open source, Passwords, Patch Watch, Pen testing, Privacy, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Yahoo IM, Yahoo! Inc., Vulnerability, ActiveX Control, Flaw, Ryan Naraine

In Focus » See more posts on: Yahoo

Less than 24-hours eEye Digital Security released a pre-patch advisory for “high risk” flaws in the Yahoo Messenger software, an unknown hacker has published exploit code for dangerous holes in two ActiveX controls installed by default by the Yahoo Messenger package.

Yahoo Messenger webcamThe zero-day exploits (see code here and here) could allow arbitrary code execution under the context of the logged in user. The vulnerabilities were found in ActiveX controls used by the Yahoo Webcam image upload and view utilities.

It is not known if these are in any way related to the eEye discoveries. I have confirmed that these are indeed the same flaws discovered and reported by eEye (working on another story now on how Yahoo screwed up the disclosure process).

According to the Zero Day Tracker, the release of these exploits should be treated very seriously:

ActiveX remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.

In the absence of a patch, the best thing to do is to uninstall and stop using the vulnerable program.

If you are not willing to remove Yahoo Messenger, you can killbit the CLSIDs for the Yahoo! ActiveX Control (DCE2F8B1-A520-11D4-8FD0-00D0B7730277,9D39223E-AE8E-11D4-8FD3-00D0B7730277). This will disable calls to these ActiveX controls from Web pages, thereby mitigating these specific vulnerabilities.

[UPDATE: June 7, 2007 @ 3:34 PM] Secunia rates this an “extremely critical” issue and provides more details on the two vulnerabilities:

1. A boundary error within the Yahoo! Webcam Upload (ywcupl.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the “Server” property and then calling the “Send()” method.

2) A boundary error within the Yahoo! Webcam Viewer (ywcvwr.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the “Server” property and then calling the “Receive()” method.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 1 Talkback(s)
Is this still a threat?  SamHobbs | 09/04/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here