NEWS FROM THE LAB - Friday, June 8, 2007

Upgrade your Yahoo Messenger immediately Posted by SGMasood @ 12:57 GMT

Yahoo has released an updated version of Yahoo Messenger to fix two critical vulnerabilities affecting separate ActiveX controls related to webcam functionality. Both vulnerabilities are buffer overflows that can be exploited to execute arbitrary code on a victim's computer just by making him/her/it view a malicious web page in Internet Explorer.

Yahoo Messenger

Very accurate and script-kiddie-friendly exploits are publicly available for both vulnerabilities. It is possible that crimeware distributors will start exploiting this for drive-by downloads. Therefore, please install the latest upgraded version of Yahoo Messenger (Version as soon as possible. Yahoo will start distributing the new version soon through an automatic update, but until that happens, you will need to install the new version manually by going to the Yahoo Messenger download page. Quoting Yahoo:

Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo! Messenger upon signing into the service. If you choose not to update and you have not updated via this page or at messenger.yahoo.com, the vulnerability will still exist.

Yahoo has a very good track record of fixing security issues quickly. However, I feel it is not proactive enough in communicating the security advisories to their users. For instance, for the current issues, there is no notice or link on the Yahoo Messenger home page or any other part of the website asking users to install the urgent security upgrade. You won't find the advisory unless you are looking for it.

Update (10th June): I just noticed that Yahoo has now added a prominent "Security Update" notice to the Yahoo Messenger home page. Good work, Yahoo!

Signing Off,