A new vulnerability in Yahoo's instant messenger program can potentially cause unwanted code to run on a PC, according to security researchers.
Details of the vulnerability were first posted on a Chinese-language security forum and was later confirmed with Yahoo security officials, wrote Wei Wang, a researcher with McAfee's Avert lab in Beijing, on a company blog.
So far, no exploit code has been published, wrote Karthik Raman, also of McAfee.
The vulnerability affects Yahoo Messenger version 8.1.0.413. It is triggered when a user accepts an invitation to use their Web camera. The type of vulnerability is called a heap overflow, where a piece of code can be executed with improper permissions, which can allow for further malicious behavior such as downloading other code, said Greg Day, a security analyst for McAfee in the U.K.
McAfee is advising that people reject Web camera invitations until Yahoo issues a patch. Users can also block outgoing traffic on TCP port 5100, which is affiliated with program's operation, Day said.
Yahoo could not be immediately reached for comment.
Sign up to receive Security Resource Alerts
A comprehensive security management solution can help you streamline, as well as grow, your current or evolving business. In this way, a strategic security approach can help you increase your competitiveness in these challenging market conditions.
Download now! »
Find out how you can effectively collect, normalize and archive enterprise-wide, security-related data that is invaluable for security investigation and compliance reporting.
Download now! »
This session focuses on the intersection of role management and identity compliance, and addresses the importance of identity compliance in enterprise governance and the challenges that organizations may face in achieving it.
View now! »
1 Recommendation
