Yahoo! Messenger is once again in the news for all the wrong reasons. This time it is a heap overflow in the webcam component. The news was apparently first exposed my McAfee in a blog post at http://www.avertlabs.com/research/blog/ind...enger-zero-day/. A second post at http://www.avertlabs.com/research/blog/ind...er-webcam-0day/ goes into more detail explaining that you shouldn’t accept unknown webcam invites and to possibly firewall port 5100. Security Focus has also issued an alert at http://www.securityfocus.com/bid/25330/info but they only classify is as a remote denial of service attack, far from the remote code execution heralded by McAfee. Security Focus reports that exploit code can be found at http://www.team509.com/expyahoo.rar.

When I hear that a new exploit may be on the market for Messenger the first thing I do is head over to Google News and see what the top Messenger stories are. For some reason I think this particular exploit may be getting the attention of a more generalized audience. Compared to the June 2007 exploit, the news reports appear to be more numerous and written in a more ominous tone. The thing that really caught my attention was the fact that more main stream media outlets are picking up on this story such as ABC (http://www.abcnews.go.com/Technology/PCWorld/story?id=3482490). Although this particular Yahoo! Messenger attack may not be any worse than the June exploit, Yahoo! may have a bigger public relations mess on their hands.

Security Fix 8.1.0.416

On the 16th of August I reported the latest Yahoo! Messenger exploit that was leaked. At the time not much information was given about the exploit but since then I have a little bit more. The exploit was apparently due to a buffer overflow in the JPEG2000 (http://en.wikipedia.org/wiki/JPEG_2000) CODEC.

Yahoo! has now announced that the exploit has been patched in its latest release, 8.1.0.416. The patch should be automatically pushed out to users.