Yahoo Messenger Webcam Zero-Day Exposed

By WebProNews Staff - Wed, 08/15/2007 - 17:57

Online chatter about a vulnerability in Yahoo Messenger has proven accurate, as a flaw in the service's Webcam capabilities can be exploited.

Security firm McAfee revealed today that hackers in China had been discussing a zero-day exploit available for Yahoo Messenger. McAfee confirmed the exploit existed, and notified Yahoo of their findings.

A malicious webcam invite can trigger a heap overflow in Yahoo Messenger. Heap overflows have been a very common exploit condition in all kinds of software over the years.

Until Yahoo provides a fix for the problem, McAfee recommended that Yahoo Messenger users avoid accepting webcam invites from untrusted sources until this flaw has been patched. For further security, those who can block outbound traffic on TCP port 5100 should do so while Yahoo bashes out a patch.

Yahoo's Webcam function also suffered from a problem with its ActiveX Controls back in June 2007. This new problem being discussed in China is not related to the June issue, which has been patched, McAfee said in its post.