Internet security researchers have uncovered a flaw in Yahoo! Messenger that could render a user’s computer vulnerable to remote access by a hacker.
The Sunnyvale, Calif.-based Web portal and public instant messaging giant issued a security patch Wednesday evening to remedy the problem, which stems from a buffer overflow error. Tri Huynh, a security researcher with SentryUnion, is credited with the discovery, which was initially sent to a handful of other security firms and mailing lists. Danish security firm Secunia verified the vulnerability and reported it in a widely circulated Web and e-mail alert.
The error can be triggered in an ActiveX component associated with the IM software, and is activated when a function in a file called “yauto.dll” receives an excessively long argument, typically in the form of a Web page URL.
The error could then allow a Web site author to execute a program on the user’s system.
“Some common impacts of a buffer overflow include being involuntarily logged-out of a messenger session, the crashing of applications such as Microsoft Internet Explorer, and in some instances, may allow the introduction of executable code,” Yahoo! wrote in a note accompanying the security patch update.
In an attack scenario outlined in the Secunia report, a hacker could trick a Yahoo! Messenger user into visiting a Web page with their browser, and into clicking on a hyperlink with embedded malicious code.
Secunia rated the flaw “highly critical,” which means that while a remotely exploitable vulnerability exists, there has been no record of a hacker using the security hole. Yahoo!, meanwhile, said that it expects only a “very small percentage” of Messenger users would have been affected by the exploit.
“Yahoo! takes security very seriously and employs rigorous and aggressive measures to help protect our users,” said Mary Osako, a spokesperson for the portal. “Yahoo! is committed to helping to protect users’ experiences while on the Internet and when using Yahoo! Messenger, and encourage users to change their IE security setting to at least the ‘medium’ level and to upgrade to the most recent version of IE.
Meanwhile, Yahoo! also said that Internet Explorer was susceptible to the same ActiveX weakness. Additionally, the company’s spokespeople said that Yahoo! Messenger was only vulnerable to such an attack if a user had intentionally set their Internet Explorer to accept unsigned ActiveX components.
But Secunia Chief Technical Officer Thomas Kristensen disagreed with the latter assertion, and said that even a higher IE security setting wouldn’t protect users who downloaded the yauto.dll component while installing Yahoo! Messenger.
“Everyone who has installed this component is at risk — it’s all of Yahoo!’s users who are vulnerable,” he said. “If you have configured IE to lowest setting, then anyone can introduce the vulnerable component to the browser. But that is completely different, and the issue here is about a Yahoo! user who believes the software they download from Yahoo! is indeed safe.”
Secunia said in the report that users could protect their systems by locating and deleting the yauto.dll component, and also encouraged users to allow ActiveX controls and Active Scripting support only on trusted sites.
The incident also involves the usual charges of unethical behavior typical for bug reports in the software industry. Yahoo! representatives said that the company had only been alerted about the vulnerability Tuesday evening, when Secunia issued its public alert. But Secunia said it published the information after it and several other bug-tracking lists and services received notification from Huynh. Huynh was not reachable for comment.
“This information was publicly available, and as soon as Secunia caught up on the information, we downloaded the Messenger, tested the vulnerability, and discovered the claims are true,” Kristensen said. “We published that information on our Web site, because [Huynh] already published it and made it available, and we’re just trying to make it understandable for corporate users.”
At any rate, the development is the latest in sporadic security issues faced by the public IM providers, ranging from exploitable errors to viruses that can spread via instant messaging. Last year, security experts criticized America Online’s AOL Instant Messenger for harboring a potential exploit, which has since been fixed.
Earlier this year, the security community learned about the existence of the Menger/Coolnow worm, which leveraged a security vulnerability in Internet Explorer to gain control of a user’s MSN Messenger client. The worm sent IMs telling recipients to immediately visit one of several Web sites; clicking on the sent link launched a Web page that in turn, ran JavaScript code that forced MSN Messenger to send the message out to all the contacts in a user’s buddy list. Microsoft responded to the worm by releasing patches.
Concern over such problems with public instant messaging has been one of the major selling points behind enterprise-grade IM software and services.
Christopher Saunders is managing editor of InstantMessagingPlanet.com.
