Yahoo bug puts 60 million users at risk
The latest version of the popular Yahoo Instant Messenger software has been hit by multiple vulnerabilities which may allow an attacker to hijack another user's machine - putting 60 million users at risk.
According to security researcher Phuong Nguyen, of security firm Vice Consulting, the flaws allow unauthorised execution of programs on an instant messenger user’s machine via buffer overflows or injections of Java or Visual Basic script in the instant messenger content tabs.
‘The net impact is to allow a relatively simple opportunity to hijack users’ YIM client outright, and use it to attack or intrude into YIM users’ supposedly private information systems,’ said Nguyen.
Nguyen explained that potential attackers could use the exploits to request a YIM user’s ID and password and send it to an email address or internet URL, with minimum user intervention required.
Malicious code could readily be hidden in HTML pages or emails with text or images enticing YIM users to click on them.
Yahoo has responded quickly to the threat and has made a patched version of the software available for download on its website.
However, the repaired version will remove some functionality from the software until Yahoo can rewrite it with sufficient security.
The patched version can be downloaded here.