Flaws Detected in Yahoo Music Jukebox
US Computer Emergency Readiness Team (US-CERT), on February 5 2008, posted a warning about two critical vulnerabilities detected recently inside Yahoo's Mediagrid ActiveX and Music Jukebox YMP Datagrid controls containing more than one buffer overflow bugs.
Secunia ASA, a Danish company for tracking vulnerability, said in a comment about the flaws that attackers successfully exploiting them could execute arbitrary code during a user's visit to a malicious Website. The company rated both the flaws as 'extremely critical', which is the highest severity rating in its five-level scoring system.
Symantec Corp. too verified that the flaws affected Yahoo Music Jukebox. In a warning to users of its Deep Threat Management service, Symantec said that it had not come across any incident of the flaws being exploited; however, since the controls were widely distributed, it may be assumed that attackers would use these issues, according to news reported by CRN on February 5, 2008.
According to experts, these types of bugs could possibly be subject to cyber attacks from student organizations in China.
Chief Research Officer Roger Thompson at Orlando, Fla.-based AVG Technologies, reminded how these student groups from China had compromised the Superbowl Website last year (2007) and have also been involved in waging attacks within virtual environments.
Thompson said that Chinese developers of exploit codes in some earlier instances have been fast in taking advantage of something similar to this. He commented that the college kids are very bright who first begin by showing their skills to slowly draw the attention of organized criminal gangs who will then borrow their exploits.
Yahoo's Music Jukebox is player software, which runs by default for the music offerings of the portal and it includes the flat-fee Yahoo Music Unlimited subscription facility and Yahoo's pay-per-track catalog. But Yahoo announced on February 5, 2008 that it would remove its Music Unlimited and pass it to Rhapsody Music service of RealNetworks Inc.
To deal with the bugs, Yahoo hasn't yet designed fixes for them. However, to manage the exploit, US-CERT suggests users to disable Internet Explorer's YMP Datagrid ActiveX control while it will also prevent other ActiveX flaws from being exploited.
» SPAMfighter News - 13-02-2008