A specially crafted address book entry in Yahoo Messenger could cause the product to crash, and may present an arbitrary code execution problem.
Rajesh Sethumadhavan reported his discovery of the problem in Yahoo Messenger on the XDisclose website, but later withdrew it and other advisories until they have been patched.
Rajesh found Yahoo Messenger 8.1 for Windows vulnerable to a buffer overflow, one of the more common problems seen in software. He provided a proof of concept for this address book entry problem:
• Create a address book entry using yahoo portal with large amount of 'a' in "email address" textbox.
• Login to Yahoo Messenger
• Go to address book tab in Yahoo Messenger
• Place your mouse over the specially crafted address book entry
• Yahoo Messenger will immediately crash
Exploiting the client in this way could allow an attacker to cause arbitrary code to be executed under the local user's privileges.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
RSS
Archive
Contact Us
Advertise
