Do you Yahoo!?

Messenger program vulnerable to exploit

The CERT Coordination Center (CERT/CC), a federally funded research and development center operated by Carnegie Mellon University, has issued an advisory regarding multiple vulnerabilities in Yahoo! Messenger. The vulnerabilities affect version 5.0.0.1064 and prior. To verify the version of Yahoo! Messenger installed, select the Help menu and choose "About Yahoo! Messenger". All users of Yahoo! Messenger should manually check their version number, as an error in the automatic update process may have inadvertently installed version 5.0.0.1036 beginning May 22, 2002 (the date the fixed version, 5.0.0.1065 was released). The vulnerabilities affect only Microsoft Windows users.

According to CERT, there are no known exploits of these vulnerabilities, which involve a buffer overflow problem and URL validation vulnerability. The vulnerabilities could allow an unsavory person to send malicious scripts to an unsuspecting user. According to CERT, the impact could range from modifying data in a victim's buddy list, to a denial of service attack, to the execution of malicious code on a victim's system. Such code would operate with the same rights as assigned to the victim user.

In addition to updating to version 5.0.0.1065 or above, CERT recommends implementing layers of defense in the form of firewall and filtering applications.

The vulnerabilities were initially discovered on May 27, 2002 with an advisory released on June 5, 2002. A full reporting of the CERT reported Yahoo! Messenger vulnerabilities is available at: http://www.cert.org/advisories/CA-2002-16.html.