|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591
|
| |
Vulnerable Systems:
* Yahoo Instant Messenger version 8.1
When Yahoo Messenger 8.1 is installed, the following vulnerable ActiveX Control is registered on the system.
ProgID: YVerInfo.GetInfo.1
Clsid: D5184A39-CBDF-4A4F-AC1A-7A45A852C883
File: C:\Program Files\Yahoo!\Common\YVerInfo.dll
Version: 2006.8.24.1
Stack based buffer overflows can be triggered through either the fvCom() or info() methods of this class.
Analysis:
Exploitation allows attackers to execute arbitrary code with the privileges of the currently logged in user. Users would be required to have a vulnerable version of the target software installed and be lured to a malicious site.
It is important to note that functions within this class can only be called if the control believes it is being run from the yahoo.com
domain. In order for this exploit to be triggered an attacker would either have to leverage a Cross-Site Scripting vulnerability in the yahoo.com domain, or be able to control the targeted user's DNS resolution for the domain.
Workaround:
Setting the kill bit for the vulnerable ActiveX control's CLSID will prevent these issues from be exploited within Internet Explorer.
Vendor response:
Yahoo Inc. has addressed these vulnerabilities by releasing an updated version of Yahoo! Messenger. More information is available at the following URL: http://messenger.yahoo.com/security_update.php?id=082907
CVE Information:
CVE-2007-4515
Disclosure timeline:
08/21/2007 - Initial vendor notification
08/21/2007 - Initial vendor response
08/30/2007 - Coordinated public disclosure
|
|
|
|
|
