September 19th, 2007
Zero-day flaws surface in AOL, Yahoo IM products
Zero-day vulnerabilities in two popular instant messaging products could put millions of computer users at risk of malicious hacker attacks.
Exploit code has been released for the more serious of the two flaws — a gaping hole in Yahoo Messenger — that could expose users to code execution attacks. (Milw0rm.com code here).
This is the third major security hiccup found in Yahoo Messenger over the last few months.
Separately, Secunia has posted an alert for a security bug in AOL Instant Messenger that can be exploited by malicious people to execute arbitrary script code.
Input passed to the Notification window is not properly sanitised before being displayed to the user. This can be exploited to execute a limited amount of arbitrary script code in the Local Zone (My Computer) context by e.g. sending a specially crafted message to another user.
Successful exploitation requires that the target user is e.g. chatting with a different user so that the Notification window is shown and that the attacker is in the Buddy List of the target user or the target user accepts the IM message from the attacker.
The AIM flaw was confirmed in version 6.1.41.2. Other versions may also be affected.
Secunia recommends that AIM users disable “New IMs arrive” option in the “Notifications” settings until America Online ships a patch.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
