Yahoo screws up flaw disclosure, helps exploit writer

Yahoo screws up flaw disclosure, helps exploit writer

Summary: If you want to blame someone for the release of dangerous exploit code targeting gaping holes in Yahoo Messenger, point your finger at Yahoo spokeswoman Terrell Karlsten.

SHARE:
3

If you want to blame someone for the release of dangerous exploit code targeting gaping holes in Yahoo Messenger, point your finger at Yahoo spokeswoman Terrell Karlsten.

Yahoo

It turns out, Karlsten went public with nitty-gritty details of the two bugs that were privately -- and responsibly -- reported by eEye Digital Security, pointing hackers at the specific ActiveX controls that contained the vulnerability.

Using Karlsten's guide, a hacker named "Danny" points a fuzzer at the identified ActiveX controls and, within an hour, finds the crash that led to the vulnerabilities/exploits.

Here's the timeline of flaw disclosure gone wrong:

June 5, 2007: eEye publishes a bare bones advisory saying that multiple flaws exist within Yahoo Messenger which allow for remote execution of arbitrary code with minimal user interaction. No details are offered beyond that simple note.

June 6, 2007 @ 4:06 PM: Information Week runs a story with this doozy of a quote: "We recently learned of a buffer overflow security issue in an ActiveX control. This control is part of the code for Web cam image upload and viewing. Upon learning of this issue, we began working towards a resolution and expect to have a fix shortly," said Yahoo spokeswoman Terrell Karlsten. (The italics are mine).

(Note: Information Week later in the day updates its story removing Karlsten's name from the sentence. Neowin has evidence of the original story).

June 6, 2007 @ 5:50 PM: 'Danny' publishes his first exploit with a link to the Information Week story and boasting of his discovery after only 45 minutes of fuzzing.

June 6, 2007 @ 7:03 PM: The second exploit is released by "Danny," with yet another reference to Karlsten's pointers in the Information Week piece.

I spoke to eEye chief hacking officer Marc Maiffret about this and he pointed to Yahoo as the party that screwed up the disclosure process, putting millions of users at risk of code execution attacks.

"Yahoo $#%ed up. They spilled the beans basically," said an exasperated Maiffret.

I have a query in to Yahoo for comment and will update this blog entry as necessary. I just got off the phone with a very contrite Karlsten who admitted the gaffe and chalked it up to a "terrible oversight." She said her comments were "not representative" of Yahoo's disclosure process and was an error that could be blamed on the company's push to be transparent and upfront with its customers.

I have to give kudos to Yahoo for getting this patch out in record time (48 hours) and trying its best to push the upgrade to users during the login process but I still think they should strongly consider this a mandatory upgrade.

ALSO SEE THESE RELATED STORIES:

'High risk' flaws in Yahoo Messenger

Exploits released for nasty Yahoo Webcam ActiveX flaws

Microsoft's advisories giving clues to hackers

Topic: Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Message has been deleted.

    charles656oio@...
  • bah

    bah, if it gets them to fix the flaw faster, then I don't really care that "too much" was disclosed.

    Frankly, I'm not under the fantastic illusion that the hackers don't know this stuff already. Do people REALLY believe they don't know about these flaws already?
    CobraA1
  • Message has been deleted.

    charles656oio@...