Hacker Issues Exploit Code for Yahoo Messenger Flaw Following Explicit Disclosures

A code to exploit the critical vulnerabilities in Yahoo Messenger has come up. The flaws are capable of giving a remote hacker full control of a victim's system.

Yahoo Inc. responded quickly by fixing the vulnerabilities on Friday June 8, 2007. The flaws were publicly revealed two days back. But there was a problem. A Yahoo spokeswoman, Terrell Karlsten seems to have given out more than necessary details to InformationWeek in an interview, as per the news reported by Itnews on June 12, 2007.

The disclosed information helped a hacker, who calls himself "Danny", to exploit the flaws. Yahoo issued its patches after the hacker set free two Active X exploits for the Webcom application of Yahoo Messenger via the Full Disclosure mailing list.

According to Marc Maiffrett, a researcher at security company eEye Digital Security, detected the loophole, Yahoo's elaborate discussion of the vulnerability was responsible for the creation of the exploit code. EEye posted warning in an advisory that there exist many flaws within Yahoo Messenger all of which enable remote running of arbitrary code with the least user interaction. EEye would not say more because it was concerned that the additional information could help someone to attack through the holes, as per the news published by The Register in early June 2007.

Danny posted his exploit code on the Internet on June 6, the day the flaw was disclosed. He bragged about finding the flaw after just 45 minutes of 'fuzzing', a technique to find bugs. He also boasted that he discovered the URL in the story in InformationWeek.

Maiffrett said they all felt freaked out when they read the story. They knew an exploit was coming in a few days. The trouble was Karlsten disclosed a lot many specifics. She talked about the core component and its functionality. It shows how some companies like Yahoo and others could not catch up with the latest securities. Maiffrett continued to say that he felt sorry for the Yahoo PR person who probably said all that the tech team told her, as per the news published by Itnews on June 12, 2007.

Related article: Hacker & Virus in MySpace

» SPAMfighter News - 6/29/2007