Yahoo Instant Messenger contains security flaw
Security researchers are warning of a security hole in Yahoo's Messenger that could allow attackers to run their own code on computers using the instant messaging program.
By Paul Roberts BOSTON | Friday, 5 December, 2003
|
The evolution of laughter and violence
Zoologists have identified signs of laughter in apes from tickling them. According to the researchers, from Portsmouth University, efforts to trace the origin of laughter - which they say evolved over the past 10 milllion to 16 million years -...
> more from Blog
SUBSCRIPTIONS
 Computerworld is New Zealand's only specialised information systems fortnightly.
Subscribe now for $97.50 (24 issues) and save more than 60% off the cover price!
NEWSLETTERS
 Get the latest news from Computerworld delivered via email.
Sign up now
NEWSFEED
 Subscribe to Computerworld's
RSS newsfeed here and get news stories as they break.
Security researchers are warning of a security hole in Yahoo's Messenger that could allow attackers to run their own code on computers using the instant messaging program.
The buffer overrun vulnerability was discovered by researcher Tri Huynh in a file named "yauto.dll," which is an ActiveX component of Messenger software versions up to 5.6.0.1347, according to a security alert released yesterday by Secunia of Copenhagen, Denmark.
The company was notified via email about the hole one month ago, but did not respond, Secunia says.
Yahoo issued a statement yesterday saying the company only learned of the vulnerability Tuesday evening (US time), after it was posted on public internet bulletin boards, and is working to verify the report and develop a patch for Messenger, Yahoo says.
"Yahoo takes security very seriously and employs rigorous and aggressive measures to help protect our users," the statement says.
Messenger allows users to instantaneously communicate with each other over the internet using text messages. It also lets users send files or links to web pages. Instant messaging applications such as Yahoo!'s Messenger, Microsoft's MSN Messenger and America Online's AOL Instant Messenger are increasingly used at companies to let workers communicate with each other over corporate LANs.
ActiveX is a Microsoft technology that allows software developers to create small, reusable bits of code, called "controls" that enable programs to share information over computer networks and the internet.
Attackers could trigger a buffer overrun on machines running Messenger by sending a long stream of data in the form of a web page URL (uniform resource locator) to a vulnerable function within yauto.dll, crashing the application or allowing the attacker to place his or her own malicious code on the machine, according to Secunia.
To launch an attack, hackers could set up a web page, then lure Messenger users into visiting the site and clicking on a link that triggers the buffer overrun and runs the attack code, Secunia says.
In buffer overflow attacks, hackers use flaws in a software program's underlying code to overwrite areas of the computer's memory, replacing legitimate computer instructions with bad data or other instructions.
Secunia rated the Messenger vulnerability "highly critical," saying that researchers tested the hole and successfully exploited it by downloading and running a Trojan horse program.
Messenger users running vulnerable versions of the program were advised to remove yauto.dll from their computer hard drive. Users should also consider modifying their web browser configuration to prevent ActiveX controls and Active Scripting from running, except on approved websites, Secunia says.
Yahoo says it encourages security community members to adhere to industry practice and contact the company directly using the email address security@yahoo-inc.com. The security hole in yauto.dll was not reported using this address, Yahoo says.
|
|
|
|
|
