Yahoo Webcam Security Problem

By Christopher Nickson
August 16, 2007

A webcam invite flaw in the newest version of Yahoo Messenger could leave users vulnerable to hacker attacks.

Do you use Yahoo Messenger? Have a webcam that you switch on for others to see you? Then you’d better be careful for a while. Chinese researchers reported that they’d found a zero day vulnerability in the service’s webcam, which McAfee reproduced yesterday. It affects users on Messenger V8.1.0.413. According to McAfee, the vulnerability can be triggered when a user accepts a webcam invitation. This can leave the user open to remote-code execution attacks. However, the company said it had yet to see any exploitation code published for the vulnerability. McAfee has informed Yahoo of the problem. “Since learning of this issue, we have been actively working towards a resolution and expect to have a fix shortly,” a Yahoo spokesman informed InformationWeek in an e-mail. “Yahoo takes security seriously and consistently employs measures to help protect our users.” This follows on from a report by eEye Digital Security which found multiple flaws in Version 8 of Yahoo Messenger which could allow a remote hacker to take control of a user’s system. Yahoo also experienced a problem in June, a buffer-overflow flaw in an Active X control, which was patched. For now, Yahoo is advising Messenger users not to accept webcam invitations from untrusted sources until a patch has been released and installed on the computer, and to block outgoing traffic on TCP port 5100.