Vulnerability uncovered within Yahoo Messenger

Security researchers say new vulnerability in Yahoo's IM program can potentially cause unwanted code to run on a PC

A new vulnerability in Yahoo's instant messenger program can potentially cause unwanted code to run on a PC, according to security researchers.

Details of the vulnerability were first posted on a Chinese-language security forum and was later confirmed with Yahoo security officials, wrote Wei Wang, a researcher with McAfee's Avert lab in Beijing, on a company blog.

So far, no exploit code has been published, wrote Karthik Raman, also of McAfee.

The vulnerability affects Yahoo Messenger version 8.1.0.413. It is triggered when a user accepts an invitation to use their Web camera. The type of vulnerability is called a heap overflow, where a piece of code can be executed with improper permissions, which can allow for further malicious behavior such as downloading other code, said Greg Day, a security analyst for McAfee in the U.K.

McAfee is advising that people reject Web camera invitations until Yahoo issues a patch. Users can also block outgoing traffic on TCP port 5100, which is affiliated with program's operation, Day said.

Yahoo could not be immediately reached for comment.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies