Yahoo! Messenger 8.x hit by Critical Security Flaws but now Fixed

Yahoo! IM Bug Fix Search giant Yahoo, has issued a number of fixes for a critical bug that was present in its Yahoo Messenger IM client, which if exploited could hand control of a user’s computer to a remote hacker.

The bug was present in the ActiveX controls of the Webcam feature of Yahoo Messenger 8.x, and enabled buffer overflows to occur when using a Webcam to view or stream images.

This created condition for a remote attack to occur if a user visited a malicious Web site that exploited the flaw.

It was security firm eEye Digital Security who reported the bug to Yahoo on June 5, 2007.

eEye Digital Security stated in an advisory: eEye Digital Security has discovered two critical vulnerabilities in ywcupl.dll (version and ywcvwr.dll (version included by default in all releases of Yahoo! Messenger 8.x. Ywcupl.dll is Yahoo’s Webcam Upload ActiveX Control used by Yahoo! Messenger to stream content from a user’s webcam to other users. Ywcvwr.dll is Yahoo! Messenger’s Webcam Viewer ActiveX Control used to view any streamed content. These files are normally used only when viewing or streaming webcam content to and from Yahoo Messenger, but they are incorrectly marked safe for scripting and can be instantiated by any website. Furthermore, they both fail to perform bounds checking on variables resulting in 2 stack-based buffer overflow conditions that could allow arbitrary code to execute in the context of the logged-in user.”

But, according to Marc Maiffret, a researcher at eEye Digital Security, Yahoo’s own discussion of the flaw may have led to the exploit code.

eEye refused to say more publicly as the company felt that additional details would enable someone to target the holes present in Yahoo Messenger 8.x.

Maiffret, who holds up Microsoft as a model for handling of vulnerabilities in a responsible manner, said that he has no doubt that Yahoo! Aided hackers by letting out so many details even before a patch was available for download.

He also said that companies responding to security problems should learn from this mistake.

“A lot of these non-Microsoft companies, if you will, are still behind in vulnerability response practices”, said Maiffret. “This just goes to show it. There’s no reason at all for a vendor to list the components,” he added.