*YAHOO! IM FLAW PATCHED
By SWD Staff
As further evidence of the increasing risks for networks carrying instant messaging applications, Yahoo! recently fixed two significant flaws in its Yahoo! Instant Messenger (YIM) that allow a user to give up control of his machine to an attacker. The holes affect subscribers using YIM version 5.0 on Windows 98/2000/XP. A new version available for download since May 24 includes fixes.
Media analysts estimate that up to 32 percent of more than 200 million instant-messaging users worldwide use YIM. Vulnerabilities also have been found recently in two other popular IM services, MSN Instant Messenger and AOL Instant Messenger.
The first YIM vulnerability involves a buffer overflow in the program that enables any URL beginning with the ymsgr suffix to call ypager.exe and crash it. This allows malicious code to be launched through the interaction between YIM and the browser.
The second vulnerability deals with Visual Basic script or JavaScript used to create new content information tabs or alter existing ones. The new tabs can then allow an attacker to steal the account's username and password. Information tabs give YIM users one-click access to customized information within the application.
"The net impact is to allow a relatively simple opportunity to hijack users' YIM client outright, and use it to attack or intrude into YIM users supposedly private information systems," wrote Phuong Nguyen, a security researcher at Vietnam-based Vice Consulting, in a Bugtraq posting.
A repaired version is available at http://download.yahoo.com/dl/installs/ymsgr/ymsgr_1065.exe
