/>
X
Innovation

Security vulnerabilities reported in Yahoo! Messenger

eWeek notes that researchers at eEye Digital Security are reporting multiple vulnerabilities in Yahoo Messenger that enable hackers to remotely execute code."Upon learning of the issue, we began working on a fix," Yahoo!
Written by Russell Shaw, Contributor on

eWeek notes that researchers at eEye Digital Security are reporting multiple vulnerabilities in Yahoo Messenger that enable hackers to remotely execute code.

"Upon learning of the issue, we began working on a fix," Yahoo! spokesperson Terrell Karlsten tells eWEEK. She declined further comment until she had more details.

The flaws, given a threat level rating of "high" by the company, were reported to Yahoo June 5 and are not known to have been exploited in the wild. Version 8.x of the company's instant messaging (IM) client is at risk, eWeek noted the company said.

Marc Maiffret, chief technology officer of Aliso Viejo, Calif.–based eEye, told eWeekthe company would not release any technical details about the vulnerabilities because the security holes remain unplugged.

But that won't stop inquiring minds who want to find out what's going on.

However, an advisory from Denmark-based security research firm Secunia provided more information. According to officials from security research firm Secunia a boundary error within the Yahoo Webcam Upload (ywcupl.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Send()" method.

That's not all.

A boundary error associated with Yahoo Webcam Viewer (ywcvwr.dll) ActiveX control, can be used to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Receive()" method.

"Today's Yahoo vulnerability is further evidence that IM, like e-mail or Web, has established itself as a de facto legitimate business communications medium and as a result has become a threat vector," Dan Nadir, vice president of product strategy at ScanSafe, tells eWeek. "If companies aren't addressing IM in their security architecture, they're leaving a key communication channel unnecessarily exposed to security, productivity, legal and compliance risks."

Editorial standards