Yahoo! Messenger Buffer Overflow

Tipping Point’s Zero Day Initiative team released an advisory
describing a buffer overflow in Yahoo! Messenger 8. If an attacker can lure a
Yahoo! Messenger user into visiting a malicious Web page, the attacker
can exploit this buffer overflow to run code on that user’s computer,
and possibly gain full control of it. If you use Yahoo! Messenger in
your network, or suspect that users have installed it, either remove
it or install the latest version.

ZDI Adivsory link
Yahoo! Advisory link

Q? Do you need to update Yahoo! Messenger to the new version?
A! Yes, if you are using a version of the All New Yahoo! Messenger obtained before March 13, 2007 on a Windows PC.

Since I’m an advocate of solutions and not just patches let me offer to suggestions:
1. NEVER NEVER NEVER click a hyperlink in any IM client session. Even if it comes from someone you know you can be compromised in a matter of mintues.
2. Dump IM altogether – IM software like this is continually found to be a security risk. I’d encourage you to uninstall the software completely and use a site like Ebuddy or Meebo to access messenger features without installing the software.

Leave a Reply