- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Yahoo Messenger YVerInfo.dll ActiveX Multiple Remote Buffer Overflow
Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Yahoo! Messenger is a instant messaging application that allows users to
chat online, share files, conduct PC to PC calls and more. Remote
exploitation of multiple buffer overflow vulnerabilities in Yahoo Inc.'s
Yahoo! Messenger 8.1 allows attackers to execute arbitrary code with the
privileges of the currently logged in user.
DETAILS
Vulnerable Systems:
* Yahoo Instant Messenger version 8.1
When Yahoo Messenger 8.1 is installed, the following vulnerable ActiveX
Control is registered on the system.
ProgID: YVerInfo.GetInfo.1
Clsid: D5184A39-CBDF-4A4F-AC1A-7A45A852C883
File: C:\Program Files\Yahoo!\Common\YVerInfo.dll
Version: 2006.8.24.1
Stack based buffer overflows can be triggered through either the fvCom()
or info() methods of this class.
Analysis:
Exploitation allows attackers to execute arbitrary code with the
privileges of the currently logged in user. Users would be required to
have a vulnerable version of the target software installed and be lured to
a malicious site.
It is important to note that functions within this class can only be
called if the control believes it is being run from the yahoo.com
domain. In order for this exploit to be triggered an attacker would either
have to leverage a Cross-Site Scripting vulnerability in the yahoo.com
domain, or be able to control the targeted user's DNS resolution for the
domain.
Workaround:
Setting the kill bit for the vulnerable ActiveX control's CLSID will
prevent these issues from be exploited within Internet Explorer.
Vendor response:
Yahoo Inc. has addressed these vulnerabilities by releasing an updated
version of Yahoo! Messenger. More information is available at the
following URL: <http://messenger.yahoo.com/security_update.php?id=082907>
http://messenger.yahoo.com/security_update.php?id=082907
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4515>
CVE-2007-4515
Disclosure timeline:
08/21/2007 - Initial vendor notification
08/21/2007 - Initial vendor response
08/30/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment