A new vulnerability in Yahoo's instant messenger program can potentially cause unwanted code to run on a PC, according to security researchers.
Details of the vulnerability were first posted on a Chinese-language security forum and was later confirmed with Yahoo security officials, wrote Wei Wang, a researcher with McAfee's Avert lab in Beijing, on a company blog.
So far, no exploit code has been published, wrote Karthik Raman, also of McAfee.
The vulnerability affects Yahoo Messenger version 126.96.36.1993. It is triggered when a user accepts an invitation to use their Web camera. The type of vulnerability is called a heap overflow, where a piece of code can be executed with improper permissions, which can allow for further malicious behaviour such as downloading other code, said Greg Day, a security analyst for McAfee in the U.K.
McAfee is advising that people reject web camera invitations until Yahoo issues a patch. Users can also block outgoing traffic on TCP port 5100, which is affiliated with program's operation, Day said.
Yahoo could not be immediately reached for comment.