Security Bugs Squashed in Yahoo IM

Yahoo! has patched holes in its instant messenger (YIM)
application after a Vietnamese researcher found security vulnerabilities
that allowed unauthorized execution of programs on a user’s PC via buffer
overflows or Java or Visual Basic script execution.

In an advisory, researcher Phuong Nguyen said the holes allowed
unauthorized script execution through the YIM content tabs. “The net impact
is to allow a relatively simple opportunity to hijack users’ YIM client
outright, and use it to attack or intrude into YIM users supposedly private
information systems,” Nguyen said.

The researcher said Yahoo! was informed of the vulnerability and issued a repaired
version
of the popular text-based chat tool.

The Yahoo IM fix comes on the heels of a similar problem which cropped up for competitor Microsoft’s
instant messenger product.

The Yahoo! IM alert, which was publicized after the company released a
repaired version of the instant messenger, contained two vulnerabilities in
the client. The research firm found a buffer overrun which enabled any URL
beginning with “ymsgr:” to execute “ypager.exe” code. Once “ypager.exe” is
called, the IM client crashed and unauthorized code could be deployed if the
Yahoo IM was running on a browser.

“If we input a string that has more than 260 bytes we will crash YIM; 264
bytes will overwrite the EBP register; four (4) more bytes will overwrite
the EIP register. In total, 268 bytes are needed to cause a buffer
overflow,” according to the alert.

“With no proper bounds checking in the ymsgr protocol, attackers can
overflow the YIM function calls “call”, “sendim”, “getimv”, “chat”,
“addview”, “addfriend” tags,” the firm said.

It said Yahoo! removed some functionalities of the repaired IM client,
including the “addview” function which enabled the instant messenger to view
Web content on its own.

News Around the Web