DigitMemo.com

The popular IM, Yahoo Messenger, now get another strike. Researchers at McAfee have verified and reproduced a bug first reported by a Chinese researcher.

The bug is caused by the Webcam function and on the most recent version of Yahoo Messenger as of today, V8.1.0.413.

“It seems like a classic heap overflow, which can be triggered when the victim accepts a Webcam invite,” wrote one of the McAfee researchers.

The bug, according to McAfee, may enable user-assisted remote-code execution attacks. Informationweek.com claims that they have not seen any exploit code for this flaw published yet. However, a complied code is currently available as prototype and will initiate a DoS(deny of service) attack to victim computer(i.e. anyone using Yahoo Messenger).

McAfee said it has contacted Yahoo’s security team and notified it of the problem.

“Since learning of this issue, we have been actively working towards a resolution and expect to have a fix shortly,” said a Yahoo spokesman in an e-mail to InformationWeek. “Yahoo takes security seriously and consistently employs measures to help protect our users.”

However, the hacker who found this bug claimed that Yahoo Messenger was poorly written, and there might be more potential security flaw.

Back in June, Yahoo Messenger was patched due to a buffer-overflow flaw in an ActiveX control, which is also part of the Webcam.

McAfee’s researchers offer up a few recommendations to deal with this latest bug:

• Users should not accept Webcam invites from untrusted sources until a patch for this vulnerability is released and installed
• Block outgoing traffic on TCP port 5100 until Yahoo can patch the flaw.