Beware of strange Yahoo Messenger webcam invites

Summary:Exploit code for a potentially serious vulnerability in Yahoo Messenger has been posted on the Internet, putting millions of computer users at risk of code execution attacks.

Beware of strange Yahoo Messenger webcam invites
Exploit code for a potentially serious vulnerability in Yahoo Messenger has been posted on the Internet, putting millions of computer users at risk of code execution attacks.

The flaw, confirmed in fully-patched versions of Yahoo Messenger, causes a heap overflow to be triggered when the target accepts a webcam invitation.

The exploit, published on a Chinese security forum, has been reproduced by researchers in McAfee's labs. According to Dave Marcus, security research and communications manager in McAfee Avert Lab, Yahoo has been notified and is investigating.

In the absence of a patch, McAfee recommends the following:

  • Do not accept webcam invites from untrusted sources.
  • Block outgoing traffic on TCP port 5100.

"This one does require a lot of user-assisted action but a successful attack can cause full remote code execution," Marcus said in an interview.

[UPDATE: August 16 @ 12:06 PM]  Yahoo spokeswoman Monica Ma e-mails:

Yahoo! takes security seriously and consistently employs measures to help protect our users.  Since learning of this issue, we have been actively working towards a resolution and expect to have a fix shortly.

ALSO SEE:

"High risk" flaws found in Yahoo Messenger

Exploits released for nasty Yahoo Webcam ActiveX flaws

Yahoo screws up flaw disclosure, helps exploit writer

Topics: Social Enterprise

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.