New Zero-Day Flaw for Yahoo Messenger

McAfee said Wednesday that it was able to confirm an earlier reported zero-day flaw in Yahoo Messenger, which could put users at risk of a code-execution attack.

According to a post on the company's Avert Labs web log, the flaw can be exploited when the victim accepts an invite for a webcam chat. McAfee said that it had informed Yahoo of the issue, which was not available for comment.

The heap overflow error was reproduced in McAfee labs using Yahoo Messenger version 8.1.0.413 based on information found in a Chinese security forum. This flaw is said to be different from another webcam flaw that was patched by Yahoo in June.

That exploit took advantage of buffer overflow issues within the Webcam ActiveX component, while the other causes a buffer overflow in the ywcvwr.dll viewer. The issues affect both Yahoo Messenger 8.0 and 8.1 running on Windows.

Until Yahoo, patches the issue, McAfee recommended several steps for users to take in the meantime. "Don't accept webcam invites from untrusted sources until a patch for this is released," Wei Wang said. "It's advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability."