August 24th, 2007
Security makeover for Yahoo Messenger
Eight days after the release of exploit code for code execution holes in the Yahoo Messenger IM client, Yahoo has shipped a new version with patches for its Windows user base.
The latest security makeover, which is being distributed via the software’s auto-update mechanism, covers two separate vulnerabilities that can be triggered when an attacker tricks the target into accepting a webcam invitation.
[ SEE: Beware of strange Yahoo Messenger webcam invites ]
Yahoo confirmed in an alert that the flaws could open doors to remote code execution attacks.
Some impacts of a buffer overflow might include the introduction of executable code, being involuntarily logged out of a Chat and/or Instant Messaging session, and the crash of an application such as Yahoo! Messenger. For this specific security issue, these impacts could only be possible if an attacker is successful in prompting the Messenger user to accept a webcam invitation.
This is the second major security makeover for Yahoo Messenger this year.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
