Exploit code that targets Yahoo Messenger is out there on the Internet and this eaises the number of Yahoo Messenger Vulnerabilities &Exploits to 9 this year alone.
In a message to the milw0rm.com Web site, someone identified as "shinnai" disclosed malicious Visual Basic code that allegedly lets attackers feed any file to users of the latest version of Messenger. The exploit code successfully executes on a fully-patched PC running Windows XP SP2, shinnai said, although the effect depends on the security settings of Internet Explorer (IE)
According to an e-mail alert from nCircle Network Security Inc., hackers armed with the exploit could force-feed malware such as a Trojan horse to vulnerable users. It was nCircle that pegged the latest zero-day threat against Messenger as No. 9 for the year.
IE's security, however, can mitigate an attack. Users running the newer IE 7 with default security settings will probably be protected.
"This latest exploit is another data point in the strong trend toward IM client attacks," said Andrew Storms, nCircle's director of security operations. "IM vendors jockeying for market share are trying to lure new users with new features that also open up new risks to end users."
Yahoo Inc., which patched Messenger twice last month, did not immediately respond to a request for confirmation of the newest flaw and queries about a patch timeline.