Replying to The Yahoo! Messenger Zero-day For The Month Of August

Security Fix 8.1.0.416

On the 16th of August I reported the latest Yahoo! Messenger exploit that was leaked. At the time not much information was given about the exploit but since then I have a little bit more. The exploit was apparently due to a buffer overflow in the JPEG2000 (http://en.wikipedia.org/wiki/JPEG_2000) CODEC.

Yahoo! has now announced that the exploit has been patched in its latest release, 8.1.0.416. The patch should be automatically pushed out to users.

Yahoo! Messenger is once again in the news for all the wrong reasons. This time it is a heap overflow in the webcam component. The news was apparently first exposed my McAfee in a blog post at http://www.avertlabs...enger-zero-day/. A second post at http://www.avertlabs...er-webcam-0day/ goes into more detail explaining that you shouldn’t accept unknown webcam invites and to possibly firewall port 5100. Security Focus has also issued an alert at http://www.securityf.../bid/25330/info but they only classify is as a remote denial of service attack, far from the remote code execution heralded by McAfee. Security Focus reports that exploit code can be found at http://www.team509.com/expyahoo.rar.

When I hear that a new exploit may be on the market for Messenger the first thing I do is head over to Google News and see what the top Messenger stories are. For some reason I think this particular exploit may be getting the attention of a more generalized audience. Compared to the June 2007 exploit, the news reports appear to be more numerous and written in a more ominous tone. The thing that really caught my attention was the fact that more main stream media outlets are picking up on this story such as ABC (http://www.abcnews.g...tory?id=3482490). Although this particular Yahoo! Messenger attack may not be any worse than the June exploit, Yahoo! may have a bigger public relations mess on their hands.