A post on a Chinese-language security forum claims that there is a zero-day vulnerability in Yahoo Messenger. Researchers at Avert Labs have found that this flaw may allow for user-assisted remote-code execution attacks. No code exploiting this flaw has been published yet.
The vulnerability, apparently a heap-overflow bug, can be exploited by duping a user into accepting a malicious webcam invitation, said Wei Wang, a Beijing-based researcher at McAfee's Avert Labs.
Yahoo Inc.'s security team has been told of the bug and its exploit, Wei added.
This new zero-day vulnerability is Messenger's second in the past 30 days, and its third since early June. Last month, a researcher posted news of a buffer overflow in the instant messaging client triggered by a malformed address book entry. The bug has not been patched, even though a Yahoo spokeswoman said July 17 that one would be issued "shortly."
In June, eEye Digital Security fingered Messenger for a critical ActiveX vulnerability in the software's webcam feature; Yahoo patched that bug June 7.
"[Today's] vulnerability is different from the recently patched one in June," Wei said. Until the IM client is patched, McAfee recommended that users ignore unexpected webcam invites and block outbound traffic on TCP Port 5100.
As in July, a Yahoo spokeswoman said the company was "working toward a resolution and expect[s] to have a fix shortly."
