Yahoo Messenger zero-day exploits on the loose

'Extremely critical' bugs let attackers snatch control of Windows PCs via IM

Gregg Keizer (Computerworld)
08 June, 2007 10:51
Comments

Shortly after eEye Digital Security notified Yahoo Wednesday that the portal's Messenger IM client was vulnerable to attack, a researcher fingered two ActiveX controls as flawed and posted exploit code that can be used to hijack Windows machines.

Although eEye's advisory was vague about details -- it said Messenger's Webcam ActiveX control was at fault -- the researcher laid all bare on the full-disclosure list.

The researcher, who went by the name "Danny," cited "45 minutes of fuzzing!" in a post Wednesday about the flaw. In a follow-up today, Danny published a second exploit. "This affects the viewer ywcvwr.dll with yahoo messenger," he said.

Aliso, eEye called the Yahoo Messenger bugs serious. "ActiveX remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be any site," the security vendor said. "An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with administrator credentials."

Most Windows XP users run in administrator mode.

Danish vulnerability tracker Secunia rated the Messenger bugs as "extremely critical" -- its highest-possible threat ranking.

Until Yahoo provides a patch, eEye said the only work-around defense is to set the kill-bit for the two Yahoo ActiveX controls. However, because that involves manually editing the Windows registry, it's not a tactic most users will feel comfortable doing. Microsoft, which in the past has recommended kill-bitting to temporarily protect users against vulnerabilities in Internet Explorer and its other software, has offered a set of technical instructions on setting kill bits.

Yahoo has not yet posted a fix for the flaws to its security update page. The last Messenger bug, also because of a vulnerable ActiveX control, was fixed in April.

"Correction: The Acer Chromebook has a 325 GB spinning magnetic hard drive. ..."

Google adds more retailers for Chromebook
"yeah, because its Australians fault the US gov and big Corps do ..."

Mobile app data protection not our responsibility, say Australians
"Despite the fact that the number of 457s has peaked in the ..."

Opposition calls for inquiry on 457 visas
"80% + 75% + 'only' 66% = 221%"

Mobile app data protection not our responsibility, say Australians
"Assange could have all the sunshine he needs: Swedish sunlight, US sunlight. ..."

A year on, Assange still a divisive issue

Whitepapers

All whitepapers

Most Read

Sign up now to get free exclusive access to reports, research and invitation only events.

Most Commented

Featured Whitepapers

A Holistic Approach to your BYOD Challenge

More and more enterprises are seeing significant benefits from allowing employees to choose the device they use to get their jobs done, and are adopting bring your own device (BYOD) initiatives. While the BYOD trend increases flexibility and productivity, it introduces a host of new challenges for your IT administrators. Click for more!

Featured Download

DriverScanner 2010

DriverScanner scans your computer and provides you with a list of drivers that need to be updated. All you have to do, then, is simply ...

Zones

Most Popular Whitepapers

Best Practices to Make BYOD Simple and Secure

As consumerisation continues to transform IT, organisations are moving quickly to design strategies to allow bring-your-own devices (BYOD). This paper provides IT executives with guidance to develop a complete BYOD strategy which gives people optimal freedom of choice while helping IT adapt to consumerisation - at the same time addressing requirements for security, simplicity and cost reduction. Read now.

Popular tags: Business Management, Security, Storage, Data Centre, Virtualisation

Latest Jobs

FTPeoplesoft CRM DeveloperWA
FTPeoplesoft CRM DeveloperWA
FTJob Title: Mac Systems/ Enterprise Systems EngineerNZ
FTTechnical Business AnalystNSW
FTInvestment System Support ConsultantNSW
FTJunior Financial System Support ConsultantNSW
FTFlash / ActionScript Developer - ContractNSW
FTFlash / ActionScript Developer - ContractNSW
FTWeb Analyst - WebTrendsVIC
FTApplication Support ConsultantNSW

Market Place

Yahoo Messenger zero-day exploits on the loose

Recommended

Profile IT: St Mary’s College ICT manager, Paul ...

ACMA defends process after police protest spectrum decisions

Social data tool reveals value of an individual ...

10 iOS 7 features that could make enterprises smile

IoT: Aussies prepare to ship Wi-Fi connected lightbulbs

UPDATED: 4G in Australia: The state of the nation

Google adds more retailers for Chromebook

ACMA defends process after police protest spectrum decisions

Microsoft shows revenue hand with Office for iPhone

NBN Co should take asbestos responsibility: analyst

ASIC has used s313 10 times to block websites

Conroy launches new digital strategy; reviews startup barriers

Opinion: How Microsoft could rule consumer electronics

Opposition calls for inquiry on 457 visas

A Holistic Approach to your BYOD Challenge

Data Centre Physical Infrastructure: Optimising Business Value

Clearing the Clouds for Midmarket Businesses

The Foundation for Cloud Management

DriverScanner 2010

Symantec Business Critical Virtualisation Content Zone

BlackBerry Enterprise Service 10 Zone

HP Tech Connect Resource Centre

Best Practices to Make BYOD Simple and Secure

The Business Case for Better Disaster Recovery

EMC's Flash Strategy

McAfee Complete Endpoint Protection - Enterprise

5 Myths of Cloud Computing

Computerworld newsletter

Don't have an account?

Yahoo Messenger zero-day exploits on the loose

Recommended

Computerworld newsletter