Zero-day flaws surface in AOL, Yahoo IM products

Exploit code has been released for the more serious of the two flaws -- a gaping hole in Yahoo Messenger -- that could expose users to code execution attacks. (Milw0rm.com code here).

This is the third major security hiccup found in Yahoo Messenger over the last few months.

Separately, Secunia has posted an alert for a security bug in AOL Instant Messenger that can be exploited by malicious people to execute arbitrary script code.

Input passed to the Notification window is not properly sanitised before being displayed to the user. This can be exploited to execute a limited amount of arbitrary script code in the Local Zone (My Computer) context by e.g. sending a specially crafted message to another user.

Successful exploitation requires that the target user is e.g. chatting with a different user so that the Notification window is shown and that the attacker is in the Buddy List of the target user or the target user accepts the IM message from the attacker.

The AIM flaw was confirmed in version 6.1.41.2. Other versions may also be affected.

Secunia recommends that AIM users disable "New IMs arrive" option in the "Notifications" settings until America Online ships a patch.