Yahoo Instant Messenger Vulnerabilities 6/10/2002 > Forums

Unanswered

Active Topics

Forums

Forums > Viruswarning Forum > Viruswarning archive

Subject: Yahoo Instant Messenger Vulnerabilities 6/10/2002

Email me when someone replies to this thread.

You are not authorized to post a reply.

Author

Messages

Lee Drake
Posts:238

06/19/2002 9:32 AM
We have learned recently of several vulnerabilities in Yahoo! Instant Messenger that could allow code of the attacker's choice to run on your machine and to do anything that you can do. That, in plain English, is the opening paragraph of the notice we received last week from the CERT Coordination Center (CERT/CC) at Carnegie-Mellon University. What Is It? The CERT/CC advisory discusses several vulnerabilities, two of which were not discovered until about two weeks ago. One of the two allows an attacker to send a malformed URL to your messenger. The malformed URL could cause arbitrary code to run on your machine that can take any action that you or one of your programs could take. Such code could, among other things, alter or damage your buddy list, alter or delete files, or possibly even install a Trojan Horse program on your computer. Such a program could give the attacker a back door into your machine, enabling him to use it for his own purposes, including the sending of junk email. The second vulnerability allows the "addview" function to execute script and render HTML in your Web browser. By default, this code would run in the Internet security zone, where your security settings are typically somewhat relaxed. Quoting from the CERT/CC bulletin: These vulnerabilities were resolved in Yahoo! Messenger version 5,0,0,1065, released May 22, 2002; however, a bug in the distribution server may have inadvertently installed Yahoo! Messenger version 5,0,0,1036 on systems that downloaded Yahoo! Messenger after May 22, 2002. The bug in the distribution server has since been resolved. What Should You Do? If you use Yahoo! Messenger, the corrective action depends on whether or not you have the AutoUpdater feature enabled. If you have the AutoUpdater enabled and are prompted for an update the next time you log onto Yahoo! Messenger, you should accept the update. If you accepted an update between 22 May 2002 and today, it is possible that you received an old version of the software that is vulnerable. To check your version, select the "About Yahoo! Messenger" function in the Help menu and make sure that your version is 5,0,0,1065 or later. If you find that you still have an older version, you should visit the Yahoo! Messenger distribution server at http://messenger.yahoo.com and update your Messenger by clicking on the Windows link which is located under the Quick Download heading in the upper left corner of the page. If you do not use the AutoUpdater, you should visit the Yahoo! Messenger distribution server at http://messenger.yahoo.com and update your Messenger by clicking on the Windows link which is located under the Quick Download heading in the upper left corner of the page. You should make a habit of checking this server regularly for updates or consider enabling the AutoUpdater. If you don't use Yahoo! Messenger, please pass this information along to anyone you know who does so. References For the curious and the brave, the CERT/CC Advisory number is CA-2002-16, which is available on the CERT/CC Web site at http://www.cert.org/advisories/CA-2002-16.html. Not surprisingly, there does not seem to be much information available directly from Yahoo!, though CERT/CC acknowledged their assistance in preparing the advisory. This concludes this VirusWarning notice. Lee Drake, Moderator

You are not authorized to post a reply.

Forums > Viruswarning Forum > Viruswarning archive > Yahoo Instant Messenger Vulnerabilities 6/10/2002

ActiveForums 3.6