Yahoo has updated its Messenger instant messaging program to flush a bug that hackers could exploit by sending video chat invitations to unwary users.
The vulnerability, which surfaced last week in a posting to a Chinese security forum, could be exploited by duping a user into accepting a malicious webcam invitation, McAfee confirmed on 15 August.
In its advisory, Yahoo said that it had actually patched two bugs, the heap overflow disclosed last week and a previously unknown denial-of-service (DoS) issue that also involves Messenger’s video chat feature. Speaking of the latter, Yahoo's alert said: "For this specific security issue, Messenger exits unexpectedly after accepting a webcam invitation from a malicious attacker."
Unlike the buffer overflow flaw, the DoS vulnerability would not give an attacker the chance to sneak his own malicious code onto the PC.
Messenger 22.214.171.1246 is the summer's second patched-up IM client for Yahoo. In June, eEye Digital Security fingered Messenger for two other critical flaws in the webcam feature. Then, Yahoo patched the bugs considerably faster: It released a fix just a day after the flaws went public. According to McAfee researcher Wei Wang, August’s video vulnerability wasn’t connected to the older June bugs.
Messenger users can download the patched version immediately, or wait for the software’s auto-update to kick in. Yahoo acknowledged that it may take weeks for the update to be fully deployed. "Over the next several weeks, users worldwide will be prompted to update to a new version of Messenger upon signing into the service," Yahoo’s advisory read.