Yahoo screws up flaw disclosure, helps exploit writer

Summary:If you want to blame someone for the release of dangerous exploit code targeting gaping holes in Yahoo Messenger, point your finger at Yahoo spokeswoman Terrell Karlsten.

If you want to blame someone for the release of dangerous exploit code targeting gaping holes in Yahoo Messenger, point your finger at Yahoo spokeswoman Terrell Karlsten.


It turns out, Karlsten went public with nitty-gritty details of the two bugs that were privately -- and responsibly -- reported by eEye Digital Security, pointing hackers at the specific ActiveX controls that contained the vulnerability.

Using Karlsten's guide, a hacker named "Danny" points a fuzzer at the identified ActiveX controls and, within an hour, finds the crash that led to the vulnerabilities/exploits.

Here's the timeline of flaw disclosure gone wrong:

June 5, 2007: eEye publishes a bare bones advisory saying that multiple flaws exist within Yahoo Messenger which allow for remote execution of arbitrary code with minimal user interaction. No details are offered beyond that simple note.

June 6, 2007 @ 4:06 PM: Information Week runs a story with this doozy of a quote: "We recently learned of a buffer overflow security issue in an ActiveX control. This control is part of the code for Web cam image upload and viewing. Upon learning of this issue, we began working towards a resolution and expect to have a fix shortly," said Yahoo spokeswoman Terrell Karlsten. (The italics are mine).

(Note: Information Week later in the day updates its story removing Karlsten's name from the sentence. Neowin has evidence of the original story).

June 6, 2007 @ 5:50 PM: 'Danny' publishes his first exploit with a link to the Information Week story and boasting of his discovery after only 45 minutes of fuzzing.

June 6, 2007 @ 7:03 PM: The second exploit is released by "Danny," with yet another reference to Karlsten's pointers in the Information Week piece.

I spoke to eEye chief hacking officer Marc Maiffret about this and he pointed to Yahoo as the party that screwed up the disclosure process, putting millions of users at risk of code execution attacks.

"Yahoo $#%ed up. They spilled the beans basically," said an exasperated Maiffret.

I have a query in to Yahoo for comment and will update this blog entry as necessary. I just got off the phone with a very contrite Karlsten who admitted the gaffe and chalked it up to a "terrible oversight." She said her comments were "not representative" of Yahoo's disclosure process and was an error that could be blamed on the company's push to be transparent and upfront with its customers.

I have to give kudos to Yahoo for getting this patch out in record time (48 hours) and trying its best to push the upgrade to users during the login process but I still think they should strongly consider this a mandatory upgrade.


'High risk' flaws in Yahoo Messenger

Exploits released for nasty Yahoo Webcam ActiveX flaws

Microsoft's advisories giving clues to hackers

Topics: Social Enterprise


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.