Severity: Medium
11 June, 2007
Update:
On Thursday 7 June, we alerted you about two zero day vulnerabilities affecting Yahoo! Messenger 8.x. By enticing a Yahoo! Messenger user into visiting a malicious Web page, an attacker can exploit either of these flaws to run code on that user’s computer, and possibly gain full control of it.
In a security update released last Friday, Yahoo posted a new version of Yahoo! Messenger 8.x to fix these vulnerabilities. Since the researcher identifying himself as Danny has publicly released exploit code for these flaws, they pose a significant risk. If Yahoo! Messenger is used in your network, you should download, test, and deploy the latest version as soon as possible. Otherwise, remind your users not to install Yahoo! Messenger on corporate computers, and to remove it if necessary.
As a convenient reference, we’ve reproduced the 7 June Yahoo! Messenger broadcast, below. You can also find it in the LiveSecurity Latest Broadcasts archive.
Severity: Medium
11 June, 2007
Update:
On Thursday 7 June, we alerted you about two zero day vulnerabilities affecting Yahoo! Messenger 8.x. By enticing a Yahoo! Messenger user into visiting a malicious Web page, an attacker can exploit either of these flaws to run code on that user’s computer, and possibly gain full control of it.
In a security update released last Friday, Yahoo posted a new version of Yahoo! Messenger 8.x to fix these vulnerabilities. Since the researcher identifying himself as Danny has publicly released exploit code for these flaws, they pose a significant risk. If Yahoo! Messenger is used in your network, you should download, test, and deploy the latest version as soon as possible. Otherwise, remind your users not to install Yahoo! Messenger on corporate computers, and to remove it if necessary.
As a convenient reference, we’ve reproduced the 7 June Yahoo! Messenger broadcast, below. You can also find it in the LiveSecurity Latest Broadcasts archive.
Summary:
Today, a gray hat researcher publicly posted exploits for two zero-day vulnerabilities that affect Yahoo! Messenger 8.x. By enticing a Yahoo! Messenger user into visiting a malicious Web page, an attacker can exploit either of these flaws to run code on that user’s computer, and possibly gain full control of it. If you use Yahoo! Messenger in your network, or suspect that your users have installed it, either remove it or install the latest version.
Exposure:
Yahoo! Messenger is one of the many Instant Messaging applications that allow users to send real-time, pop-up messages to each other over the Internet. Instant Messaging is popular enough that your users might have installed the Yahoo! Messenger client on a company computer whether or not your policy authorizes doing so.
In two posts [ 1 / 2 ] to the Full Disclosure security mailing-list, a gray hat researcher who identified himself only as “Danny” released Proof-of-Concept (PoC) exploit code for two serious buffer overflow vulnerabilities in ActiveX controls shipping with Yahoo! Messenger 8.x. Danny doesn’t detail the technical cause for these two flaws. However, he notes that the flaws lie in the Yahoo! Webcam Viewer ActiveX control (ywcvwr.dll) and the Yahoo! Webcam Upload ActiveX control (ywcupl.dll). By tricking one of your Yahoo! Messenger users into visiting a specially crafted Web page, an attacker could exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, an attacker could exploit this flaw to gain total control of their machines.
Danny’s two exploits apparently target the same previously undisclosed vulnerabilities that eEye Digital Security mentions in one of their pages describing upcoming advisories. If that’s the case, eEye has already reported the flaws to Yahoo. According to an InformationWeek article, Yahoo has already begun to prepare patches, and will release them shortly. However, Danny chose to release his exploits before Yahoo had time to release their patch. Any skript kiddie could easily modify the simple exploits Danny released so that they open a reverse backdoor shell on your computers. We highly recommend you have your Yahoo! Messenger users remove the application, or follow the workaround in our Solution section immediately.
Solution Path:
Even if your organization does not officially endorse the use of unsecured Instant Messaging, at many sites, employees persist in trying to sneak Instant Messaging software onto company machines. If you suspect some of your users have installed Yahoo! Messenger, consider forwarding a warning about this vulnerability to all the users on your network. If your company policy does call for the use of Instant Messaging, we strongly recommend that you migrate to a secure Instant Messaging application.
Danny released his exploits before Yahoo had time to complete their patch fixing these issues. Until Yahoo releases an upgrade or patch, as a workaround you can set a “kill bit” that prevents Internet Explorer (IE) from loading Yahoo’s vulnerable ActiveX controls. This workaround will help prevent attackers from exploiting this flaw against your network. Note that the workaround also prevents your Yahoo! Messenger clients from using some Webcam features.
Note: Setting a kill bit for ActiveX controls is an involved process that requires you to manually edit the Windows registry, either on a single machine or via Global Policy Manager. You should only attempt this workaround if you are comfortable editing the registry.
Every ActiveX control has a specific Class Identifier (CLSID) string that identifies that ActiveX control to Windows. Yahoo! Messenger’s vulnerable ActiveX controls use the following CLSIDs:
- {DCE2F8B1-A520-11D4-8FD0-00D0B7730277}
- {9D39223E-AE8E-11D4-8FD3-00D0B7730277}
To manually set a “kill bit” that prevents IE from loading these ActiveX controls:
1. Click Start => Run in Windows. 2. In the Run dialog type regedit and hit Enter to open the Windows Registry editor. 3. In the left hand column, navigate to the following registry key by expanding the following folders: § HKEY_LOCAL_MACHINE § \SOFTWARE § \Microsoft § \Internet Explorer § \ActiveX Compatibility 4. Right click on the ActiveX Compatibility key (its icon looks like a folder) and select New => Key. 5. This creates a new key at the bottom of the list, which you should rename by cutting and pasting one of the CLSIDs listed above. For instance, rename the first new key to {DCE2F8B1-A520-11D4-8FD0-00D0B7730277}. 6. Next, right click on the {DCE2F8B1-A520-11D4-8FD0-00D0B7730277} key you just created and chose New => DWORD Value. 7. In the right hand column, rename the new value to Compatibility Flags, then hit Enter . 8. Double click the new Compatibility Flags entry to edit its DWORD value. 9. Change the value to 400 and make sure Hexadecimal is checked. (400 is the kill bit value that tells IE not to load the ActiveX control you specified.) Click OK. 10. Repeat these steps again for the remaining CLSID. 11. When you’re finished, close the Registry Editor. If you use Global Policy Manager, we recommend you use it to push these registry changes to your whole network at once. Keep in mind, once Yahoo patches these flawed ActiveX components, you may have to delete these new registry entries to gain back the functionality these ActiveX controls provide. For more on disabling ActiveX controls in IE, see this Microsoft Knowledge base article.
For All Users:
This attack travels as normal-looking HTTP traffic, which you need to allow so your network users can access the World Wide Web. Therefore, the workaround above is your best solution until Yahoo! issues a patch.
Status:
We’ll update you as soon as Yahoo releases an updated version of Yahoo! Messenger.