Yahoo screws up flaw disclosure, helps exploit writer
If you want to blame someone for the release of dangerous exploit code targeting gaping holes in Yahoo Messenger, point your finger at Yahoo spokeswoman Terrell Karlsten.
It turns out, Karlsten went public with nitty-gritty details of the two bugs that were privately -- and responsibly -- reported by eEye Digital Security, pointing hackers at the specific ActiveX controls that contained the vulnerability.
Using Karlsten's guide, a hacker named "Danny" points a fuzzer at the identified ActiveX controls and, within an hour, finds the crash that led to the vulnerabilities/exploits.
Here's the timeline of flaw disclosure gone wrong:
June 5, 2007: eEye publishes a bare bones advisory saying that multiple flaws exist within Yahoo Messenger which allow for remote execution of arbitrary code with minimal user interaction. No details are offered beyond that simple note.
June 6, 2007 @ 4:06 PM: Information Week runs a story with this doozy of a quote: "We recently learned of a buffer overflow security issue in an ActiveX control. This control is part of the code for Web cam image upload and viewing. Upon learning of this issue, we began working towards a resolution and expect to have a fix shortly," said Yahoo spokeswoman Terrell Karlsten. (The italics are mine).
(Note: Information Week later in the day updates its story removing Karlsten's name from the sentence. Neowin has evidence of the original story).
June 6, 2007 @ 5:50 PM: 'Danny' publishes his first exploit with a link to the Information Week story and boasting of his discovery after only 45 minutes of fuzzing.
June 6, 2007 @ 7:03 PM: The second exploit is released by "Danny," with yet another reference to Karlsten's pointers in the Information Week piece.
I spoke to eEye chief hacking officer Marc Maiffret about this and he pointed to Yahoo as the party that screwed up the disclosure process, putting millions of users at risk of code execution attacks.
"Yahoo $#%ed up. They spilled the beans basically," said an exasperated Maiffret.
I have a query in to Yahoo for comment and will update this blog entry as necessary. I just got off the phone with a very contrite Karlsten who admitted the gaffe and chalked it up to a "terrible oversight." She said her comments were "not representative" of Yahoo's disclosure process and was an error that could be blamed on the company's push to be transparent and upfront with its customers.
I have to give kudos to Yahoo for getting this patch out in record time (48 hours) and trying its best to push the upgrade to users during the login process but I still think they should strongly consider this a mandatory upgrade.
ALSO SEE THESE RELATED STORIES:
'High risk' flaws in Yahoo Messenger