McAfee has confirmed a zero-day vulnerability in Yahoo’s popular instant messaging solution, Yahoo Messenger. McAfee’s Avert Labs is a security research firm designed to tackle security issues as soon as they trickle into the world, and the crew first noticed the potential flaw on a post on a Chinese-language security forum.
The flaws, according to McAfee, allows for a user-assisted remote code execution attack, meaning an IM user has to act in response to a prompt from a hacker in order for the attack to proceed.
McAfee Avert Labs reproduced the vulnerability on Yahoo Messenger version 126.96.36.1993.
Piling On the Heap
“It seems like a classic heap overflow, which can be triggered when the victim accepts a webcam invite,” explained Avert Labs’ Wei Wang. “Note that this vulnerability is different from the recently patched one in June, which exploited the Yahoo Webcam ActiveX controls.”
McAfee has alerted Yahoo of the issue, the research firm said. Yahoo posted a fix of the webcam ActiveX in June. While a fix isn’t ready at this time, end users can easily avoid the problem if they don’t accept webcam invites from untrusted sources.
For its part, McAfee has also released its network intrusion protection system IntruShield signatures, which protect Yahoo Messenger users from the threat.
Growing IM Issues?
Yahoo Messenger was the victim of the above-mentioned webcam ActiveX attack earlier this year, but have there been many others?
“Prior to 2002, 2003, there were only a couple dozen IM-based threats in total, but now sometimes we see upwards of 70 or 80 new ones a month,” Dave Marcus, security research and communications manager for McAfee Avert Labs, told TechNewsWorld.
“It’s definitely been a growing area for a couple of years, which really makes sense when you consider how many more people now are using IM as a communication tool than in past years,” he added.
What’s the best way to avoid IM-based vulnerabilities?
“Some of the same best practices with basic e-mail safety transition to IM, too,” Marcus said.
“You’ve got to be careful of people sending you stuff who are not on your buddy list. A lot of [nefarious] people like to send links that are not correct, that are fake links to sites with malware, spyware or trojans,” he explained. “Not accepting messages from people outside of your buddy list is a first place to start.”
Despite this, there are a lot of tools in the underground that let hackers capture IM traffic between parties, which could also help them try to fake the identity of someone an IM user is friends with. To make matters worse, there’s a growing trend of hackers using malware to steal identities and glean personal information for profit.
For even stronger protection, Avert Labs recommends that people block outgoing traffic on TCP port 5100 until Yahoo patches the vulnerability.