More on the Yahoo! Messenger Webcam Zero-day

Earlier today Karthik had blogged about details of a new zero day in Yahoo! Messenger being published on some security forums in China, we got a chance to dig a bit deeper into this and were able to reproduce the vulnerability on Yahoo! Messenger version 8.1.0.413 based on the information provided in the forum. It seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite. Note that this vulnerability is different from the recently patched one in June which exploited the Yahoo! Webcam ActiveX controls. We’ve been able to reach Yahoo! security team and have informed them about this issue. We recommend the following to users using Yahoo! Messenger Webcam: 1) Don’t accept webcam invites from untrusted sources until a patch for this is released. 2) It’s advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability. To mitigate this, we’re releasing our NIPS IntruShield signatures today to protect Yahoo! Messenger users from this threat. We shall keep on monitoring this threat and update if we come across anything.