Tech Shout!

A new zero-day vulnerability in Yahoo Messenger has been discovered by McAfee Avert Labs.

Experts at McAfee researched about the flaw further after they read about it on a Chinese-language security forum on Tuesday. After that they also reproduced the vulnerability on Yahoo Messenger.

According to the team, the flaw may give way for code-execution attacks. But all the same, till now there is no report of an exploit being made available online yet.

On the company blog, Wei Wang, a security researcher at McAfee wrote, “It seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite. Note that this vulnerability is different from the recently patched one in June which exploited the Yahoo webcam ActiveX controls.”

Wang is speaking about a vulnerability reported by the security firm eEye Digital Security, which was quickly fixed by Yahoo in the Version 8.1.0.401.

McAfee alerted Yahoo about their discovery, but until the company will issue a patch the users are being urged to guard themselves by not accepting webcam invites from untrusted sources.

McAfee is advising that people reject Web camera invitations until Yahoo issues a patch. Users can also block outgoing traffic on TCP port 5100, which is affiliated with program’s operation, said a security analyst for McAfee in the U.K.

Speaking on this topic, Michael Sutton, a security evangelist at SPI Dynamics stated, “The latest Yahoo IM vulnerability is a perfect example of a serious client-side vulnerability that leaves millions of unsuspecting users vulnerable to attack. Fortunately, we have not heard of widespread attacks using this attack vector, nor have we seen publicly available exploit code. Hopefully Yahoo will move quickly and push a patch down to all IM clients in order to mitigate this threat.”