Zero-day flaws surface in AOL, Yahoo IM products

Summary:Zero-day vulnerabilities in two popular instant messaging products could put millions of computer users at risk of malicious hacker attacks.

Zero-day flaws surface in AOL, Yahoo IM products
Zero-day vulnerabilities in two popular instant messaging products could put millions of computer users at risk of malicious hacker attacks.

Exploit code has been released for the more serious of the two flaws -- a gaping hole in Yahoo Messenger -- that could expose users to code execution attacks. (Milw0rm.com code here).

This is the third major security hiccup found in Yahoo Messenger over the last few months.

Separately, Secunia has posted an alert for a security bug in AOL Instant Messenger that can be exploited by malicious people to execute arbitrary script code.

Input passed to the Notification window is not properly sanitised before being displayed to the user. This can be exploited to execute a limited amount of arbitrary script code in the Local Zone (My Computer) context by e.g. sending a specially crafted message to another user.

Successful exploitation requires that the target user is e.g. chatting with a different user so that the Notification window is shown and that the attacker is in the Buddy List of the target user or the target user accepts the IM message from the attacker.

The AIM flaw was confirmed in version 6.1.41.2. Other versions may also be affected.

Secunia recommends that AIM users disable "New IMs arrive" option in the "Notifications" settings until America Online ships a patch.

Topics: Collaboration, Browser, Security, Social Enterprise

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.