Menu
 Home
 Local News    
 Global News
 Technical & Product News
 Opinions
 Contact Us
 Subscribe/Unsubscribe
 
 Publications
 ICT World
 Cable Talk
 Computing S.A.
 Network World
 The Channel
 IT users handbook
 
 Sponsors
 ICT World Company Directory
 
 Partners
 CareerJunction
 Johnnic Mag Division
 
 Privacy Policy
 Privacy Policy
 
   
   

Yahoo patches Messenger video bug

Date: 24 August 2007
Issue: Two hundred and forty nine (20/8/07 - 24/8/07)
(ICT World)
Category: Global News
Gregg Keizer, Computerworld (US online)
Yahoo has updated its Messenger instant messaging software to flush a bug that hackers could exploit by sending video chat invitations to unwary users.

The vulnerability, which surfaced last week in a posting to a Chinese security forum, could be exploited by duping a user into accepting a malicious webcam invitation, McAfee confirms.

In its advisory, Yahoo said that it had actually patched two bugs, the heap overflow disclosed last week and a previously unknown denial-of-service (DoS) issue that also involves Messenger's video chat feature. Speaking of the latter, Yahoo's alert said: "For this specific security issue, Messenger exits unexpectedly after accepting a webcam invitation from a malicious attacker."

Unlike the buffer overflow flaw, the DoS vulnerability would not give an attacker the chance to sneak his own malicious code onto the PC.

Messenger 8.1.0.416 is the summer's second patched-up IM client for Yahoo. In June, eEye Digital Security fingered Messenger for two other critical flaws in the webcam feature. Then, Yahoo patched the bugs considerably faster: It released a fix just a day after the flaws went public. According to McAfee researcher, Wei Wang, August's video vulnerability was not connected to the older June bugs.

Messenger users can download the patched version immediately, or wait for the software's auto-update to kick in. Yahoo acknowledges that it may take weeks for the update to be fully deployed. "Over the next several weeks, users worldwide will be prompted to update to a new version of Messenger upon signing into the service," Yahoo's advisory reads.