Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Digital Life / Experts Warn of Yahoo Messenger Hack
Beware the Yahoo Messenger Zero-Day Hack
Beware the Yahoo Messenger Zero-Day Hack
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
The latest word from McAfee Avert Labs is that there is zero-day vulnerability in Yahoo Messenger, a discovery that marks the second time in a month that security researchers disclosed a serious vulnerability in the instant-messaging client.

McAfee Avert Labs researchers discovered the Yahoo Messenger bug described on a Chinese security forum, then dug into the report and were able to reproduce the vulnerability. The conclusion is that the Yahoo Messenger flaw might in fact allow for code-execution attacks, but as of Thursday, there have been no reports of any published code designed to exploit this new bug in Yahoo Messenger.

"It seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite," Wei Wang, a security researcher at McAfee, wrote in the company's security blog. "Note that this vulnerability is different from the recently patched one in June which exploited the Yahoo webcam ActiveX controls."

Yahoo Messenger Webcam

Over the past few years, the security world has witnessed a dramatic shift from server-side to client-side attacks, according to Michael Sutton, a security evangelist at SPI Dynamics. Attackers have learned that client-side attacks are excellent facilitators for phishing and identity theft, he explained.

"The latest Yahoo IM vulnerability is a perfect example of a serious client-side vulnerability that leaves millions of unsuspecting users vulnerable to attack," Sutton said. "Fortunately, we have not heard of widespread attacks using this attack vector, nor have we seen publicly available exploit code. Hopefully Yahoo will move quickly and push a patch down to all IM clients in order to mitigate this threat."

Instant Messenger Threats

McAfee's Wang recommended several steps to Yahoo Messenger users seeking to protect themselves. First, he suggested, don't accept webcam invites from untrusted sources until a patch for this bug is released.

"It's advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability," Wang added. "To mitigate this, we're releasing our NIPS IntruShield signatures today to protect Yahoo Messenger users from this threat. We shall keep on monitoring this threat and update if we come across anything."

Instant-messaging threats are counted among the rising number of financially motivated, Web-borne malware attacks in Secure Computing's latest report that identifies information-stealing hacks and backdoor vulnerabilities as the greatest threats. Research firm Gartner has predicted that financially motivated attacks using professional-grade malware will have infected 75 percent of enterprises by the end of 2007.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.