DigitMemo.com

Microsoft sends out Windows Live Messenger 9.0 beta invites

No sooner has the Windows Live Wave 2 suite been released than the first Wave 3 beta begins - Windows Live Messenger v9. Unlike the betas that have just finished, the Messenger v9 beta is being run from Microsoft Connect as a private beta, meaning that, for the moment at least, unless you receive an invite, you won’t be able to participate.

For the moment it looks like most previous Windows Live testers are getting invites, so stay tuned to your inbox. With such a popular beta like this, you better sign up quick.

So what’s new? While the goodies aren’t yet available, we’ve heard about Multiple Points Of Presence (MPOP) support, which allows you to sign in from multiple devices, ie be online at two places at once.

The popular IM, Yahoo Messenger, now get another strike. Researchers at McAfee have verified and reproduced a bug first reported by a Chinese researcher.

The bug is caused by the Webcam function and on the most recent version of Yahoo Messenger as of today, V8.1.0.413.

“It seems like a classic heap overflow, which can be triggered when the victim accepts a Webcam invite,” wrote one of the McAfee researchers.

The bug, according to McAfee, may enable user-assisted remote-code execution attacks. Informationweek.com claims that they have not seen any exploit code for this flaw published yet. However, a complied code is currently available as prototype and will initiate a DoS(deny of service) attack to victim computer(i.e. anyone using Yahoo Messenger).

McAfee said it has contacted Yahoo’s security team and notified it of the problem.

“Since learning of this issue, we have been actively working towards a resolution and expect to have a fix shortly,” said a Yahoo spokesman in an e-mail to InformationWeek. “Yahoo takes security seriously and consistently employs measures to help protect our users.”

However, the hacker who found this bug claimed that Yahoo Messenger was poorly written, and there might be more potential security flaw.

Back in June, Yahoo Messenger was patched due to a buffer-overflow flaw in an ActiveX control, which is also part of the Webcam.

McAfee’s researchers offer up a few recommendations to deal with this latest bug:

• Users should not accept Webcam invites from untrusted sources until a patch for this vulnerability is released and installed
• Block outgoing traffic on TCP port 5100 until Yahoo can patch the flaw.