The latest word from McAfee Avert Labs is that there is zero-day vulnerability in Yahoo Messenger, a discovery that marks the second time in a month that security researchers disclosed a serious vulnerability in the instant-messaging client.
McAfee Avert Labs researchers discovered the Yahoo Messenger bug described on a Chinese security forum, then dug into the report and were able to reproduce the vulnerability. The conclusion is that the Yahoo Messenger flaw might in fact allow for code-execution attacks, but as of Thursday, there have been no reports of any published code designed to exploit this new bug in Yahoo Messenger.
"It seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite," Wei Wang, a security researcher at McAfee, wrote in the company's security blog. "Note that this vulnerability is different from the recently patched one in June which exploited the Yahoo webcam ActiveX controls."
Yahoo Messenger Webcam
Over the past few years, the security world has witnessed a dramatic shift from server-side to client-side attacks, according to Michael Sutton, a security evangelist at SPI Dynamics. Attackers have learned that client-side attacks are excellent facilitators for phishing and identity theft, he explained.
"The latest Yahoo IM vulnerability is a perfect example of a serious client-side vulnerability that leaves millions of unsuspecting users vulnerable to attack," Sutton said. "Fortunately, we have not heard of widespread attacks using this attack vector, nor have we seen publicly available exploit code. Hopefully Yahoo will move quickly and push a patch down to all IM clients in order to mitigate this threat."
Instant Messenger Threats
McAfee's Wang recommended several steps to Yahoo Messenger users seeking to protect themselves. First, he suggested, don't accept webcam invites from untrusted sources until a patch for this bug is released.
"It's advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability," Wang added. "To mitigate this, we're releasing our NIPS IntruShield signatures today to protect Yahoo Messenger users from this threat. We shall keep on monitoring this threat and update if we come across anything."
Instant-messaging threats are counted among the rising number of financially motivated, Web-borne malware attacks in Secure Computing's latest report that identifies information-stealing hacks and backdoor vulnerabilities as the greatest threats. Research firm Gartner has predicted that financially motivated attacks using professional-grade malware will have infected 75 percent of enterprises by the end of 2007.