Home › Forums › Archives › Instant Messaging › Yahoo! Messenger Support › Another flaw in Yahoo Messanger
- This topic has 2 replies, 3 voices, and was last updated 20 years, 4 months ago by restless311.
-
AuthorPosts
-
December 11, 2003 at 3:27 pm #11630zhugeliangMember
I found this little tid-bit in the GRC.com newsletters that i subscribe to, and i recieved it yesterday…
A vulnerability found in ypager.exe allows a website to inject [malicious] html, scripts, and
possibly activex controls into a Yahoo Messenger IM window.Side Effects:
This exploit has an extremely nasty side effect. If the IFRAME is added to the ymsgr URL in certain
ways the IMVironment information will be saved in such a way that Messenger will no longer log in.
This requires that either the IMVironment keys in the registry be cleaned or Yahoo Messenger to be
completely uninstalled.Work around:
Until Yahoo can fix the problem the exploit can be avoided by turning off IMVironments in the Yahoo
Messenger preferences.December 12, 2003 at 12:17 am #87369tomsbbbMemberzhugeliang
Thank You for the Tip, its good to know, i will have to visit Steves site more often TomDecember 24, 2003 at 9:25 am #87370restless311MemberFrom Chet Simpson(Y!Tunnel)
New flaw found in Yahoo Messenger!!
We have discovered a critical security flaw in Yahoo Messenger. This flaw allows an attacker to automatically inject malicious HTML and JavaScript code into an Instant Message window from a remote website.
This new flaw shadows another security risk discovered earlier this week that allowed a user to inject malicious code through a buffer overflow through the use of a Yahoo specific Active-X control.
Unlike the flaw discovered earlier this week, the new security hole can be run even if your security settings are set to high and JavaScript is disabled in Internet Explorer. The severity of this new flaw is considered extremely critical as it may allow JavaScript to execute in the local security zone of Internet Explorer. This can allow JavaScript access to local files as well as information stored in the system registry.
There are three ways to avoid becoming a victim of this exploit and Yahoo has released a new version of Messenger (Build 1356) which addresses this flaw. This flaw can be avoided by one of the following:
Disable IMVironments.
Enable the Y!TunnelPro anti-boot option labeled “Enable filtering for Yahoo! Messenger related crash links found in web pages.”
Download Yahoo Messenger V5.6 Build 1356. -
AuthorPosts
- You must be logged in to reply to this topic.