Yahoo IM Flaw A Big Headache For Sysadmins
Yahoo Messenger users are vulnerable to two security holes, the more serious of which could lead to the execution of malicious code on a user's system, Yahoo has warned.
Source: TechWorldAn update available from Yahoo's site fixes the flaws, which affect versions of Messenger up to 6.0.0.1750, and would be found in any version downloaded before 15 February, Yahoo said in an advisory.
"Under a very specific set of circumstances, an executable file could be unknowlingly launched in Yahoo! Messenger. As a result, users could be vulnerable to running a malicious program on their computer," Yahoo said. The bug, a spoofing flaw, was discovered by Danish security firm Secunia.
Affected versions of Messenger don't display long filenames correctly in the file transfer dialogue windows, Secunia said. "This can be exploited to trick users into accepting and potentially executing malicious files."
For the exploit to work, the option "Hide extension for known file types" must be enabled in Windows - as it is by default, Secunia said. The bug's seriousness is mitigated by the need for user interaction in a successful exploit, but it is dangerous enough that companies shouldn't delay upgrading, Secunia said.
0
Comments
Edited to tone it down a little