[ news_security_news ]
Yahoo Posts Quick Fix For Messenger Bug
Doug Caverly
Staff Writer
2007-06-11
 Insider Reports RSS Feed
As always, it would have been best if the vulnerability hadn't existed in the first place. That said, you may have to give Yahoo credit for its quick response - after two sample attacks were posted online, the company patched up its messenger service within about 24 hours.
 | | Yahoo Posts Quick Fix For Messenger Bug |  |
On the other hand, The Register's Dan Goodin writes, "Yahoo!'s own discussion of the flaw may have led to the exploit code, according to Marc Maiffret, a researcher at eEye Digital Security, the security firm that discovered the security hole. An advisory eEye posted on Wednesday warned only that 'multiple flaws exist within Yahoo! Messenger which allow for remote execution of arbitrary code with minimal user interaction,'" but "eEye refused to say more publicly, out of concern the additional details would enable someone to target the holes."
Then, Goodin continues, "That didn't stop a Yahoo! spokeswoman from disclosing in a story by Information Week that the security issue was connected to a buffer overflow in Yahoo! Messenger's ActiveX control. She revealed that it was part of the code the program uses to upload and view web cam images."
This gaffe appears to have led to the proof-of-concept attacks, which in turn led to Yahoo's admirably fast release of a patch. It's not fair to blame an entire company for the mistake of a single overly chatty representative, but Yahoo would do well to not repeat this error in the future.
There's one last bright side to all of this - according to Yahoo, obtaining and installing the Yahoo Messenger patch "should take no more than a couple minutes."
Tags: Yahoo, Proof-Of-Concept, Patch, Messenger
About the Author:
Doug is a staff writer for SecurityProNews, InternetFinancialNews, SearchNewz, and WebProNews.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
