[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Yahoo! Messenger! multiple! vulns!
From: InfoSec News <isn () c4i ! org>
Date: 2002-05-29 9:48:28
[Download RAW message or body]
http://www.theregister.co.uk/content/55/25466.html
By Thomas C Greene in Washington
Posted: 28/05/2002 at 09:08 GMT
There are two new Yahoo Instant Messenger (YIM) vulnerabilities which
can potentially compromise a user's machine, Vietnamese researcher
Phuong Nguyen has discovered. Yahoo! has been notified and a fixed
version is available for download here.
First up, an unchecked buffer which enables any URL beginning with
'ymsgr:' to call ypager.exe, crash it and run malicious code if the
messenger is integrated with the browser. All that's needed is 268
bytes to overflow the buffer, and exploit code can be loaded with the
user's level of privilege. The 'call', 'sendim', 'getimv', 'chat',
'addview' and 'addfriend' function calls can be exploited, Nguyen
says.
Next up a problem with the 'addview' feature which enables the
messenger to view Web content on its own. This is vulnerable to freaky
URLs and malicious JavaScript and VB script. Yahoo! content can be
duplicated and malicious scripts embedded in the HTML to give an
attacker numerous means to exploit a target. See Nguyen's original
advisory for links to a couple of simple demonstrations (which I've
not verified). Yahoo! has removed this particular 'feature' in the
fixed version pending further engineering magic to make it safe,
Nguyen says.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic