Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Upgrade Your Yahoo Messenger Immediately


  • Please log in to reply
3 replies to this topic

#1 tomato71

tomato71

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 09 June 2007 - 03:39 PM

Yahoo has released an updated version of Yahoo Messenger to fix two critical vulnerabilities affecting separate ActiveX controls related to the webcam functionality. Both vulnerabilities are buffer overflows that can be exploited to execute arbitrary code on a victim's computer just by making him/her/it view a malicious web page in Internet Explorer.

Very accurate and script-kiddie-friendly exploits are publicly available for both vulnerablities. It is possible that crimeware distributors will start exploiting this for drive-by downloads. Therefore, please install the latest upgraded version of Yahoo Messenger (ver 8.1.0.401) as soon as possible. Yahoo will start distributing the new version soon through an automatic update, but until that happens, you will need to install the new version manually by going to the Yahoo Messenger download page.


Quoting Yahoo:

*Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo! Messenger upon signing into the service. If you choose not to update and you have not updated via this page or at messenger.yahoo.com, the vulnerability will still exist.*

Yahoo has a very good track record of fixing security issues quickly. However, I feel it is not proactive enough in communicating the security advisories to their users. For instance, for the current issues, there is no notice or link on the Yahoo Messenger home page or any other part of the website asking users to install the urgent security upgrade. You won't find the advisory unless you are looking for it.


http://www.f-secure.com/weblog/archives/ar...7.html#00001208

Edited by jgweed, 10 June 2007 - 08:05 AM.


BC AdBot (Login to Remove)

 


#2 Commander Gman

Commander Gman

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 09 June 2007 - 07:59 PM

Thanks for the update,tomato71 :thumbsup: I have already installed the latest version of Yahoo Messenger
But i have this feeling that if Yahoo Messenger gets more popular now a days,more security issues will pop out and would probably end up being like(McAfee or Norton)
So i'd rather switch to a low-profile IM program

Edited by Commander Gman, 09 June 2007 - 07:59 PM.

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#3 BlackSpyder

BlackSpyder

    Bleeping Big Rig


  • BC Advisor
  • 2,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Huddleston, VA USA (Home Sweet Home)
  • Local time:07:09 PM

Posted 09 June 2007 - 09:58 PM

Thank goodness for GAIM/Pidgen.

Posted Image




#4 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:07:09 PM

Posted 11 June 2007 - 12:38 PM

Thanks for sharing this important need ... copy of blog post below with additional links:

Users of Yahoo's Messenger Instant Messaging need to move to the latest version as quickly as possible. Two serious seriousy vulnerabilities have surfaced that are now being exploited in-the-wild

Yahoo repaired these deficiencies within hours and the first link below provides the site for downloading the more secure version.

Solution -- Update to the latest version:
http://messenger.yahoo.com

Yahoo Messenger exploits seen in the wild
http://isc.sans.org/diary.html?storyid=2952

Two Yahoo Messenger vulnerabilities (with PoCs)
http://isc.sans.org/diary.html?storyid=2943

Yahoo Messenger - Overview of Vulnerabilities
http://secunia.com/advisories/25547/
http://messenger.yahoo.com/security_update.php?id=060707
http://lists.grok.org.uk/pipermail/full-di...une/063817.html
http://lists.grok.org.uk/pipermail/full-di...une/063819.html

Two vulnerabilities in Yahoo Messenger can be exploited by malicious people to compromise a user's system.

1) A boundary error within the Yahoo! Webcam Upload (ywcupl.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Send()" method.

2) A boundary error within the Yahoo! Webcam Viewer (ywcvwr.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Receive()" method.

Successful exploitation of the vulnerabilities allows execution of arbitrary code. The vulnerabilities are confirmed in version 8.1.0.249. Other versions may also be affected.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users