Zero-day Flaw in Yahoo & AIM IM
Two commonly used instant messaging programs with zero-day vulnerabilities are capable of exposing a huge number of computer users to attacks from malicious hackers.
A hole exists in case of Yahoo! Messenger, which could make the users susceptible to the code execution strikes.
A security researcher admonished on September 19, 2007 that the attack code targeting Yahoo! Messenger is available on the Internet. The exploit code is the ninth one aimed on the widely accepted Instant Messaging (IM) software so far in 2007.
A person identified as 'Shinnai' used the milworm.com Website to post the exploit known as Visual Basic that could enable hackers to insert any file to the consumers using updated version of Messenger. PC WORLD published this on September 19, 2007. The malicious code can successfully run on a PC that is fully patched program with Windows XP SP2, Shinnai added. However, the impact depended on Internet Explorer's security settings.
An alert via e-mail from nCircle Network Security Inc. said that hackers possessing the exploit are capable of forcibly feeding malware like a Trojan horse on vulnerable computers. This was the same company that ranked the new zero-day threat against Yahoo! Messenger as No. 9 in 2007.
In addition to this, anti-virus provider Secunia has issued an advisory in connection to a security bug on AOL Messenger Version 220.127.116.11, which, when exploited, could allow arbitrary script code execution. Secunia released this in news on September 19, 2007.
Secunia advisory also wrote that the Input to be passed to Notification window is not properly sanitized prior to its exposure to the computer users. This could be used to run partial arbitrary codes in My Computers' Local Zone by instructing another user through a special message.
The exploitation would be successful if the target user is chatting online with another user so that the Notification window could be opened, if the attacker in its Buddy List of the targeted user or if the targeted user acknowledges the attacker's IM message.
Secunia advised AIM users to disable "New IMs arrive" feature in the 'Notifications' arrangements until a security patch is ready.
Related article: Zero-day Flaw in Internet Explorer Revealed
» SPAMfighter News - 06-10-2007