New vulnerabilities reported in AIM, Yahoo Messenger
by Russell Shaw
ZDNet’s Ryan Naraine reports zero-day vulnerabilities in Yahoo! Messenger and AOL Instant Messenger.
In the case of Yahoo! Messenger, a hole exists that could leave users vulnerable to code execution attacks.
Additionally, anti-virus solutions provider Secunia has posted an advisory referring to an AOL Messenger Version 6.1.41.2 security bug that could be exploited for the purpose of executing an arbitrary script code.
The note reads:
Input passed to the Notification window is not properly sanitised before being displayed to the user. This can be exploited to execute a limited amount of arbitrary script code in the Local Zone (My Computer) context by e.g. sending a specially crafted message to another user.
Successful exploitation requires that the target user is e.g. chatting with a different user so that the Notification window is shown and that the attacker is in the Buddy List of the target user or the target user accepts the IM message from the attacker.
And that’s not OK.
According to Secunia:
Input passed to the Notification window is not properly sanitised before being displayed to the user. This can be exploited to execute a limited amount of arbitrary script code in the Local Zone (My Computer) context by e.g. sending a specially crafted message to another user.
Successful exploitation requires that the target user is e.g. chatting with a different user so that the Notification window is shown and that the attacker is in the Buddy List of the target user or the target user accepts the IM message from the attacker.
As a security policy strategy, Secunia is suggesting AIM users Secunia disable “New IMs arrive†option in the “Notifications†settings until a patch is available
