Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42872
  • Total Topics: 16081
  • Online Today: 4042
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: Amker
« on: 12. June 2007., 22:43:13 »

USA - Exploit code has hit the Internet for the critical flaws in Yahoo Messenger that could enable a remote hacker to take control of a user's system.

Yahoo Inc was quick out of the gate and released a fix for the vulnerabilities last Friday, just two days after the flaws were publicly disclosed. The trouble is that Terrell Karlsten, a spokeswoman for Yahoo, apparently disclosed too much information about the bugs in an interview with InformationWeek.

And that information helped lead a hacker, who identifies himself only as "Danny," right to the flawed code.

On June 5, eEye Digital Security released information about the vulnerabilities, giving out very little information about them. Marc Maiffret, co-founder and CTO of the security company, said his researchers found the bugs within the last few weeks and reported them to Yahoo the week before. eEye's researchers reported that there actually  advertisement were multiple flaws in version 8 of Yahoo's instant messenger client software.
Maiffret was careful not to give out too much information about the flaw until Yahoo could issue a patch for it. However, when InformationWeek contacted Karlsten, she replied in an e-mail, saying, "We recently learned of a buffer overflow security issue in an ActiveX control. This control is part of the code for Webcam image upload and viewing. Upon learning of this issue, we began working towards a resolution and expect to have a fix shortly."

It was fixed shortly, but not before the hacker seemingly used this information to find the bug himself and create an exploit for it.

"Danny" posted his exploit online on June 6, the day the story ran. Including the URL to the InformationWeek story, he boasted that he found the flaw after only 45 minutes of fuzzing - a software-testing or bug-finding technique. Karlsten could not be reached for comment before deadline.

"We were all freaked out when we saw the story," said Maiffret.

"We figured we'd see an exploit within a few days."

He added that the problem was that Karlsten gave too many specifics.

"She talked about what control is vulnerable," he said.

"She pinpointed the exact component and functionality. It goes to show that some companies, like Yahoo and a handful of others, are so behind the times with security. I kind of feel bad for the PR person at Yahoo. She probably was just reading off what the tech team said."

The Internet Storm Center is advising users to upgrade to the latest (patched) version of Yahoo Messenger as soon as possible. The site also is giving "kudos" to Yahoo for getting the problem fixed so quickly.

Itnews
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising