RealTime IT News

Loose Lips Help Hit Yahoo's IM

UPDATED That will remind folks of when to shut up.

A Yahoo employee apparently blabbed a little too much in an interview with an IT publication about a vulnerability in Yahoo Messenger, the company's instant messenger program.

Very quickly, what had been an advisory turned into a zero-day exploit, as malicious software writers figured out the details of the vulnerability from the programmer's comments.

The vulnerabilities were found in ActiveX controls used by the Yahoo  Webcam image upload and view utilities. Not long after the ill-advised interview, security firm Secunia published everything in great detail.

Late on Thursday, Yahoo informed internetnews.com that it had fixed the problem. The notice read in part: "We are encouraging all Yahoo! Messenger users to download the latest version ( available at messenger.yahoo.com. Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo! Messenger upon signing into the service."

For users not running the patch, the zero-day exploits could allow arbitrary code to be executed with the same permissions as a local user. This means the ability to copy or delete files or install software, such as a keystroke logger.

Within a day of the interview being posted, exploits were found on the Web, trying to lure unsuspecting users to Web sites that had code to cause a buffer overflow and gain access to the computer.

Security firm eEye, which had been tracking the vulnerability, had issued its own alert, rating it as severe. Co-founder and CTO Marc Maiffret was amused at the indiscretion but not surprised.

"Most software vendors are where Microsoft was ten years ago. They just haven't had enough exposure to security and exposure, so they make a lot of simplistic mistakes," he told internetnews.com. Like giving away an exploit. Microsoft has always been deliberately vague in its alerts sent out prior to Patch Tuesday so as not to give away what issues it's preparing to fix.

Updates prior version to clarify the Yahoo employee's position and update with Yahoo's information on a patch.