RealTime IT News

Holes Still Linger in Yahoo Messenger

A mere week after Yahoo! patched holes in its instant messaging platform, the company continues to clean up after the security threat. On May 27, 2002, the Computer Emergency Response Team Coordination Center (CERT) discovered a buffer overflow and a URL validation vulnerability in the Yahoo! Messenger client for Windows.

Yahoo! released a fixed version of Yahoo! Messenger (5,0,0,1065) and began issuing a patch (5,0,0,1066) via the AutoUpdater to address this issue.

But CERT said Wednesday that users who downloaded Yahoo! Messenger after May 22, 2002, should be aware that a bug in the distribution server might have inadvertently installed Yahoo! Messenger version 5,0,0,1036, which is vulnerable to remote attacks. That bug has since been fixed.

The problems center on the popular Internet communication tool's "buffer overflow" as well as its "addview" function.

"Attackers that are able to exploit these vulnerabilities may be able to execute arbitrary code with the privileges of the victim user. We have not seen active scanning for these vulnerabilities, nor have we received any reports of these vulnerabilities being exploited, but users should upgrade to version 5,0,0,1065 or later," said CERT researcher and advisory author Jason Rafail.

The buffer overflow happens during the processing of the Yahoo! Messenger URI handler (ymsgr:). This URI handler is installed at the system level for applications that use the underlying operating system when processesing URIs (such as Microsoft Internet Explorer, Netscape Navigator 6, Microsoft Outlook, or the command shell).

A URI can be sent by another Yahoo! Messenger user in a message, embedded in a Web site, or sent in an HTML-renderable e-mail message, the advisory said.

The threat seems to only cover Windows-based machines. Macintosh OS systems seem to be unaffected at this point.

CERT also said a vulnerability exists in Yahoo! Messenger's "addview" function. The problem is bad enough that it might permit a remote attacker to execute arbitrary script and HTML in the Internet security zone of the local machine.

The "addview" function is only supposed to accept view information from Yahoo! servers. However, an attacker could send malicious script and HTML to the client using the Yahoo! URL redirection service. This script or HTML is interpreted by the Yahoo! Messenger client and is displayed in the client's web browser.

Yahoo! said it, "encourages users to upgrade to the latest version whenever prompted by the AutoUpdater" or regularly check for updated versions of the client at its messenger.yahoo.com site.

Instant messaging platforms are becoming the preferred method of hacker attacks, according to Gartner Inc. .

Their report released Wednesday said 58 percent of those surveyed said the careless use of personal communications by their employees -- especially e-mail and instant messaging (IM) -- poses the most dangerous security risk to their networks.

Similar problems have cropped up in just the last year with instant messengers from Microsoft , AOL and AOL's ICQ platforms.