Zero-day flaws surface in AOL, Yahoo IM products

Zero-day flaws surface in AOL, Yahoo IM products

Summary: Zero-day vulnerabilities in two popular instant messaging products could put millions of computer users at risk of malicious hacker attacks.

SHARE:

Zero-day flaws surface in AOL, Yahoo IM productsZero-day vulnerabilities in two popular instant messaging products could put millions of computer users at risk of malicious hacker attacks.

Exploit code has been released for the more serious of the two flaws -- a gaping hole in Yahoo Messenger -- that could expose users to code execution attacks. (Milw0rm.com code here).

This is the third major security hiccup found in Yahoo Messenger over the last few months.

Separately, Secunia has posted an alert for a security bug in AOL Instant Messenger that can be exploited by malicious people to execute arbitrary script code.

Input passed to the Notification window is not properly sanitised before being displayed to the user. This can be exploited to execute a limited amount of arbitrary script code in the Local Zone (My Computer) context by e.g. sending a specially crafted message to another user.

Successful exploitation requires that the target user is e.g. chatting with a different user so that the Notification window is shown and that the attacker is in the Buddy List of the target user or the target user accepts the IM message from the attacker.

The AIM flaw was confirmed in version 6.1.41.2. Other versions may also be affected.

Secunia recommends that AIM users disable "New IMs arrive" option in the "Notifications" settings until America Online ships a patch.

Topics: Collaboration, Browser, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Multi-Messenger Applications

    This is a problem that makes me doubly nervous, as I use both of these services through a multi-messenger supporting application. Is it likely that I am at risk still using a program like Trillian or the like?

    J.Morgan
    www.VAR2.com
    John Morgan VAR2
    • Re: Multi-Messenger Applications

      I would guess that since the vulnerabilities are in the client programs themselves that they likely don't apply to independently developed clients, though those clients probably have vulnerabilities unique to them.
      svella
    • You are at risk in any application that uses the Microsoft HTML control.

      If Trillian uses the Microsoft HTML control, rather than KHTML (used by KDE and
      Apple's Safari) or Gecko (used by Mozilla and Firefox) then it's potentially vulnerable.
      Otherwise you're safe from this class of attack.
      Resuna
  • This is ALSO a flaw in Windows.

    "Input passed to the Notification window is not properly sanitised
    before being displayed to the user. This can be exploited to execute a
    limited amount of arbitrary script code in the Local Zone (My
    Computer) context by e.g. sending a specially crafted message to
    another user."

    This attack is not just a hole in Yahoo messenger, it's a hole in
    Windows, one that has been there for a decade and one that Microsoft
    refuses to fix. The very idea that a hypertext display mechanism could
    even *potentially* execute code outside a strict sandbox (no matter
    what 'zone' it's in) without the calling application explicitly loading a
    plugin or setting up a callback to implement the escape mechanism is
    just plain wrong. It violates every principle of secure design, and this
    fundamental design flaw in Microsoft's HTML control has been the
    source of more exploits on Windows than any other single
    vulnerability.

    The Microsoft HTML control is simply too dangerous to use for
    anything but internal use on content provided explicitly by the
    application itself. NO application should be using it to display
    untrusted content. Ever. NO application that uses it to display
    untrusted content (sanitized or not) should be considered secure.

    Sanitizing untrusted input is too hard a job to be done except in the
    rarest of cases. If you think you need to do so, you need to look at the
    design you are using or the tools you are using, and see if there's any
    way to avoid having to pass content to a potentially insecure
    application or through an insecure API or interface.
    Resuna
    • Yes, this is a Windows flaw

      Once again, as with the Qicktime/Firefox vulnerability and the Skype worm, the underlying problem is Microsoft Windows.

      None of these affect Linux. I can safely chat on line to MS Messenger and Yahoo Meesenger clients from Linux using Kopete or GAIM.
      tracy anne
  • EXPLOIT CODE IS VIRUS

    I could open a dll in a text file but I would see a bunch of nonsense and all of my dll files in my computer would turn into text files!I could try to change the function of the dll in the text file but I would have no understanding of how to do it.This is because I am not at the software writing level in my computer.The dll could be the 'file' drop down box and I would want to put a 'save as' section in there.After the dll is finished being written it's locked.There is no need to change anything in this dll,it works fine.A virus enters the dll at the software writing level and changes the file.This virus might remove the 'save as png' file,or script.The virus adds itself into the check sum so it is not noticed.I reach a certain level in the program,a virus script starts and the program's explorer page disappears.The point is that virus work at the software writing level and are invisible.
    BALTHOR
  • WHAT'S IN A DLL

    When I click 'file' a script is started and a drop down box appears.All of the sections in this drop down box are script that run when I click them.The script would tell the hard drive to record the file type that has been selected.A virus somehow enters the locked dll with probably a bogus permission.A virus can reside right inside of the program and even look like a legitimate part of the program,but it isn't.It is very impossible to detect these virus.Virus scanners remove but a few virus and they never remove these function impeding virus.The program is written,the virus are inserted and then you download the program.
    BALTHOR
  • SCRIPT

    When I type a letter the key that I type is detected in the BIOS as a switch made and a voltage is generated.This voltage is associated with a font character and I see what I have typed.The BIOS is a program that detects and can operate every component in the computer.I can construct a script using a series of mouse moves and when this script is viewed in a script reading program it looks like a deity software engineer wrote it.
    BALTHOR
  • relevance?

    Balthor, fascinating as your insights into the workings of a PC are, they don;t really contribute much to the exploit discussion. Sorry if this seems insulting.
    dgrainge
  • Same old story

    IM exploits appear so frequently that I long ago decided IM is an unacceptable risk, and I don't use it. Reports like this just reinforce that conviction.
    Greenknight_z