Exploits released for nasty Yahoo Webcam ActiveX flaws

Summary:An unknown hacker has published exploit code for dangerous holes in two ActiveX controls installed by default by the Yahoo Messenger package.

Less than 24-hours eEye Digital Security released a pre-patch advisory for "high risk" flaws in the Yahoo Messenger software, an unknown hacker has published exploit code for dangerous holes in two ActiveX controls installed by default by the Yahoo Messenger package.

Yahoo Messenger webcam
The zero-day exploits (see code here and here) could allow arbitrary code execution under the context of the logged in user. The vulnerabilities were found in ActiveX controls used by the Yahoo Webcam image upload and view utilities.

It is not known if these are in any way related to the eEye discoveries. I have confirmed that these are indeed the same flaws discovered and reported by eEye (working on another story now on how Yahoo screwed up the disclosure process).

According to the Zero Day Tracker, the release of these exploits should be treated very seriously:

ActiveX remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.

In the absence of a patch, the best thing to do is to uninstall and stop using the vulnerable program.

If you are not willing to remove Yahoo Messenger, you can killbit the CLSIDs for the Yahoo! ActiveX Control (DCE2F8B1-A520-11D4-8FD0-00D0B7730277,9D39223E-AE8E-11D4-8FD3-00D0B7730277). This will disable calls to these ActiveX controls from Web pages, thereby mitigating these specific vulnerabilities.

[UPDATE: June 7, 2007 @ 3:34 PM] Secunia rates this an "extremely critical" issue and provides more details on the two vulnerabilities:

1. A boundary error within the Yahoo! Webcam Upload (ywcupl.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Send()" method.

2) A boundary error within the Yahoo! Webcam Viewer (ywcvwr.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Receive()" method.

Topics: Social Enterprise, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.