[AI] Yahoo Messenger Hole Found

Vikas Kapoor dl.vikas at gmail.com
Thu Aug 16 09:55:18 EDT 2007

Yahoo Messenger Hole Found
A vulnerability in Yahoo's IM program could allow an intruder's code to run on a PC.
Jeremy Kirk, IDG News Service

gram can potentially cause unwanted code to run on a PC, according to security researchers.

Details of the vulnerability were first posted on a 
Chinese-language security forum
 and was later confirmed with Yahoo security officials, wrote 
Wei Wang
, a researcher with 
McAfee Inc.
's Avert lab in 
Beijing , 
on a company blog.

So far, no exploit code has been published, 
Karthik Raman
, also of McAfee.

The vulnerability affects 
Yahoo Messenger
 version It is triggered when a user accepts an invitation to use their Web camera. The type of vulnerability is called a heap overflow, where
a piece of code can be executed with improper permissions, which can allow for further malicious behavior such as downloading other code, said 
Greg Day
, a security analyst for McAfee in the 

McAfee is advising that people reject Web camera invitations until Yahoo issues a patch. Users can also block outgoing traffic on TCP port 5100, which is
affiliated with program's operation, Day said.

Yahoo could not be immediately reached for comment.


Vikas Kapoor,
MSN Id:dl_vikas at hotmail.com, Yahoo+Skype Id: dl_vikas,
Mobile: (+91) 9891098137.

More information about the AccessIndia mailing list