Severity: Medium
30 August, 2007
Summary:
Late yesterday, Yahoo released an update that fixes a security vulnerability affecting any version of Yahoo! Messenger installed before August 29, 2007. By enticing a Yahoo! Messenger user into visiting a malicious Web page, an attacker can exploit this new flaw to execute code on that user’s computer, and possibly gain full control of it. If you use Yahoo! Messenger in your network, or suspect that your users have installed it, either remove it or install the latest version.
Exposure:
Yahoo! Messenger is one of the many Instant Messaging applications that allow users to send real-time, pop-up messages to each other over the Internet. Instant Messaging is popular enough that your users might have installed the Yahoo! Messenger client on a company computer whether or not your policy authorizes it.
Yesterday, Yahoo released an advisory describing a buffer overflow vulnerability in an ActiveX control that ships with all previous versions of Yahoo! Messenger. The buffer overflow flaw lies specifically in the ActiveX control called YVerInfo.dll. By tricking one of your Yahoo! Messenger users into visiting a maliciously crafted Web page, an attacker could exploit this flaw to execute code on your user’s computer, with your user’s privileges. If the user has local administrative privileges, the attacker could gain total control of the user’s machine.
Severity: Medium
30 August, 2007
Summary:
Late yesterday, Yahoo released an update that fixes a security vulnerability affecting any version of Yahoo! Messenger installed before August 29, 2007. By enticing a Yahoo! Messenger user into visiting a malicious Web page, an attacker can exploit this new flaw to execute code on that user’s computer, and possibly gain full control of it. If you use Yahoo! Messenger in your network, or suspect that your users have installed it, either remove it or install the latest version.
Exposure:
Yahoo! Messenger is one of the many Instant Messaging applications that allow users to send real-time, pop-up messages to each other over the Internet. Instant Messaging is popular enough that your users might have installed the Yahoo! Messenger client on a company computer whether or not your policy authorizes it.
Yesterday, Yahoo released an advisory describing a buffer overflow vulnerability in an ActiveX control that ships with all previous versions of Yahoo! Messenger. The buffer overflow flaw lies specifically in the ActiveX control called YVerInfo.dll. By tricking one of your Yahoo! Messenger users into visiting a maliciously crafted Web page, an attacker could exploit this flaw to execute code on your user’s computer, with your user’s privileges. If the user has local administrative privileges, the attacker could gain total control of the user’s machine.
If you read WatchGuard Wire, you may remember our post about a similar vulnerability in Yahoo! Messenger, caused by a flaw in a webcam ActiveX control. Yahoo fixed that flaw as well, last week. By installing this Yahoo! Messenger update, you fix both this new vulnerability and that older one.
Solution Path:
Even if your organization does not officially endorse the use of unsecured Instant Messaging, employees sometimes persist in trying to sneak Instant Messaging software onto company machines. If you suspect some of your users have installed Yahoo! Messenger, consider forwarding a warning about this vulnerability to all the users on your network. If your company policy does call for the use of Instant Messaging, you should download and install the latest version of Yahoo! Messenger (8.1.0.419).
For All Users:
This attack travels as normal-looking HTTP traffic, which you need to allow so your network users can access the World Wide Web. Therefore, installing the Yahoo update is your best solution.
Status:
Yahoo has released an update to fix this vulnerability.