Yahoo patches Messenger vulnerabilities

Stan Beer
Saturday, 09 June 2007 10:19

Your IT - Home IT

Yahoo has issued fixes for a critical bug in its Yahoo Messenger IM client which if exploited could hand control of a user's computer to a remote attacker.

The bug in the ActiveX controls of the webcam feature of Yahoo Messenger 8.x enabled buffer overflows to occur when using a webcam to view or stream images. This in turn created conditions for a remote attack to occur if a user visited a maicious website that exploited the flaw.

Yahoo Messenger has an estimated user base of about 100 million and is interoperable with Microsoft Live Messenger.

Security firm, eEye Digital Security, which reported the bug to Yahoo on June 5, stated in an advisory:

"eEye Digital Security has discovered two critical vulnerabilities in ywcupl.dll (version 2.0.1.4) and ywcvwr.dll (version 2.0.1.4) included by default in all releases of Yahoo! Messenger 8.x. Ywcupl.dll is Yahoo's Webcam Upload ActiveX Control used by Yahoo! Messenger to stream content from a user's webcam to other users. Ywcvwr.dll is Yahoo! Messenger's Webcam Viewer ActiveX Control used to view any streamed content. These files are normally used only when viewing or streaming webcam content to and from Yahoo Messenger, but they are incorrectly marked safe for scripting and can be instantiated by any website. Furthermore they both fail to perform bounds checking on variables resulting in 2 stack-based buffer overflow conditions that could allow arbitrary code to execute in the context of the logged-in user."

Yahoo issued a patch for the bug on June 8.