Zero-Day Bug In Yahoo Messenger Pops Up - InformationWeek
01:36 PM
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

Zero-Day Bug In Yahoo Messenger Pops Up

The heap overflow vulnerability can be triggered when a user accepts a Webcam invite, according to McAfee researchers.

Researchers at McAfee are reporting that they've reproduced a reported zero-day vulnerability in the Yahoo Messenger Webcam.

Karthik Raman, a researcher with McAfee, first reported in a Tuesday blog entry that Chinese researchers were claiming to have found a zero-day bug in Yahoo Messenger. On Wednesday, Raman's fellow McAfee researcher Wei Wang noted in a blog entry that they have been able to reproduce the vulnerability on Messenger V8.1.0.413.

"It seems like a classic heap overflow, which can be triggered when the victim accepts a Webcam invite," wrote Wang.

The bug, according to McAfee, may enable user-assisted remote-code execution attacks. Raman had noted that they have not seen any exploit code for this flaw published yet.

McAfee said it has contacted Yahoo's security team and notified it of the problem.

"Since learning of this issue, we have been actively working towards a resolution and expect to have a fix shortly," said a Yahoo spokesman in an e-mail to InformationWeek. "Yahoo takes security seriously and consistently employs measures to help protect our users."

Wang also reported that this vulnerability is different from one that was patched in June. Researchers at eEye Digital Security had reported that there actually were multiple flaws in version 8 of Yahoo's instant messaging client software. Those flaws could enable a remote hacker to take control of a user's system.

A Yahoo spokeswoman had explained that the June issue was a buffer-overflow flaw in an ActiveX control. This control is part of the code for Webcam image upload and viewing.

McAfee's researchers offered up a few recommendations to deal with this latest bug:

  • Users should not accept Webcam invites from untrusted sources until a patch for this vulnerability is released and installed; and
  • Block outgoing traffic on TCP port 5100 until Yahoo can patch the flaw
  • .

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll