Tuesday December 2, 2008 4:04 AM AEST
Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
Latest Comments
"Concerned man's comments seem to intimate that if I'm using agents all will be well but the ..."
on Shavlik Technologies to broaden its patch management offerings
by Werner K | Nov 26, 2008 8:36 PM
 
"That will enhance Microsoft Office system, including SharePoint - good platform for enterprise ..."
on Companies have security to consider with in-the-cloud Office
by SGE | Nov 25, 2008 3:29 PM
 
"how many users allow per session? because the digital persona password manager allows only 10 ..."
on DigitalPersona Pro Workstation/Pro Server
by Daniel | Nov 25, 2008 12:14 AM
 
"security through obscurity...shows how detached HIPAA is from reality."
on Privacy breaches causing business instability
by priceOfFishInChina | Nov 20, 2008 1:19 PM
 
"I have been the recipient of Agent.JEN.Trojan through an email suggesting a UPS parcel (including..."
on Trojan disguised as UPS delivery note
by Vincent Laing | Nov 13, 2008 4:01 PM
IM Security

McAfee warns of Yahoo Messenger Webcam bug

  • Email a Friend
  • Print Page
McAfee warns of Yahoo Messenger Webcam bug
Related Articles
By Frank Washkuch
Aug 17, 2007 9:57 AM
Tags: McAfee | warns | of | Yahoo | Messenger | Webcam | bug
The zero-day flaw was first published on Chinese security forums, but researchers at McAfee said this week that they recreated the flaw on Yahoo Messenger version 8.1.0.413.

The vulnerability "seems like a classic heap overflow that can be triggered when the victim accepts a webcam invite," Wei Wang, a researcher at McAfee Avert Labs, blogged on Wednesday.

McAfee said it notified Yahoo’s security team about the issue, and advised users to decline webcam invites from untrusted sources and block outgoing traffic on TCP port 5100 until the Sunnyvale, Calif.-based web giant releases a patch.

Dave Marcus, security research and communications manager at McAfee Avert Labs, told SCMagazine.com that there are no wild exploits for the flaw.

"We’re not seeing anything past proof of concept (PoC) code, so we have no reports of exploitation in the wild, but I think it’s important enough to let people know that we are monitoring the situation," he said.

"The choice of Yahoo Webcam as something to develop exploits for [is intriguing], and I think that’s a result of researchers being quick to know what’s popular out there and looking for vulnerabilities to exploit in those popular applications."

A Yahoo representative could not immediately be reached for comment.

In June, Yahoo patched two vulnerabilities in Messenger’s ActiveX control that had been disclosed by a hacker offering PoC exploit code.

A researcher using the name "Danny" had released two zero-day ActiveX exploits for Messenger’s Webcam application on the Full Disclosure mailing list.

 
Ads by Google
Thoughts on this article? Add a comment below.
Be the first to comment on this article.

Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
Tripwire - Click here to win an iTouch
 
 
Messaging Whitepapers
 
Popular Tags
access bug control cybercrime emails exploit fight hotmail mcafee microsoft nac patch spam stock strategic trojan tuesday usb warns yahoo