Exploits released for zero-day Yahoo Messenger vulnerabilities

The hacker released the exploits on the Full Disclosure mailing list early today and late last night.

The flaws, ranked at the highest severity levels in security advisories, allow remote code execution and exist in Yahoo Messenger version 8 and earlier.

The first flaw is a boundary error within the Yahoo Webcam Upload ActiveX control, which can be exploited to cause a stack-based buffer overflow, according to a Secuniaadvisory released.

The other vulnerability exists within the Yahoo Webcam Viewer ActiveX control and can also be exploited for a stack-based buffer overflow attack, according to Secunia, which ranked the flaws as "extremely critical," meaning they are unpatched, can allow remote code execution and exploits are in the wild.

eEye Digital Security warned in an advisory today that ActiveX zero-day flaws are especially dangerous because they can receive malicious payloads from any website.

The Ocean County, Calif.-based firm cautioned PC users that the flaws are "high" severity.

FrSIRT warned that the vulnerabilities are "critical."

Yahoo spokesperson Terrell Karlsten said today that the company "began working towards a resolution and expect(s) to have a fix shortly."

Andrew Storms, director of security operations for nCircle, said that one reason the flaws are dangerous is because instant messaging applications are widespread – and security professionals might not be aware how much so.

"The impact of this vulnerability is extensive because it could allow attackers to take complete control of a user’s system, and two public proof-of-concept exploits are available. This leaves many thousands of internet consumers at high risk," he said.

"Enterprise users on Yahoo IM are particularly at risk because IM may not be a sanctioned application, but still be in wide use across networks. IT security teams must figure out where it is installed before they can take steps to protect the network."