RealTime IT News

Security Bugs Squashed in Yahoo IM

Yahoo! has patched holes in its instant messenger (YIM) application after a Vietnamese researcher found security vulnerabilities that allowed unauthorized execution of programs on a user's PC via buffer overflows or Java or Visual Basic script execution.

In an advisory, researcher Phuong Nguyen said the holes allowed unauthorized script execution through the YIM content tabs. "The net impact is to allow a relatively simple opportunity to hijack users' YIM client outright, and use it to attack or intrude into YIM users supposedly private information systems," Nguyen said.

The researcher said Yahoo! was informed of the vulnerability and issued a repaired version of the popular text-based chat tool.

The Yahoo IM fix comes on the heels of a similar problem which cropped up for competitor Microsoft's instant messenger product.

The Yahoo! IM alert, which was publicized after the company released a repaired version of the instant messenger, contained two vulnerabilities in the client. The research firm found a buffer overrun which enabled any URL beginning with "ymsgr:" to execute "ypager.exe" code. Once "ypager.exe" is called, the IM client crashed and unauthorized code could be deployed if the Yahoo IM was running on a browser.

"If we input a string that has more than 260 bytes we will crash YIM; 264 bytes will overwrite the EBP register; four (4) more bytes will overwrite the EIP register. In total, 268 bytes are needed to cause a buffer overflow," according to the alert.

"With no proper bounds checking in the ymsgr protocol, attackers can overflow the YIM function calls "call", "sendim", "getimv", "chat", "addview", "addfriend" tags," the firm said.

It said Yahoo! removed some functionalities of the repaired IM client, including the "addview" function which enabled the instant messenger to view Web content on its own.