Yahoo IM hit with critical security flaws

A number of highly critical security flaws have been found in the latest version of Yahoo Messenger, which could allow attackers to gain remote access to users systems, according to a security advisory issued by eEye Digital Security.

The vulnerabilities affect Yahoo Messenger versions 8.1 and 8.0, running on Windows, eEye stated in its "upcoming advisories."

Although eEye does not disclose extensive details about vulnerabilities until the respective vendor develops a patch, the security researcher did note the Yahoo IM flaws requires little user interaction for an attacker to exploit the vulnerabilities.

"It's the classic bug. Instead of targeting your network or perimeter, it can target your desktop or client applications," said Marc Maiffret, eEye founder and chief technology officer. "Most companies are heavily dependent on perimeter security, but this is a case where network firewalls and intrusion prevention won't be enough."

Currently, no zero-day exploits exist, Maiffret said, who noted eEye informed Yahoo about the vulnerabilities Tuesday.

One potential workaround is eEye's Blink Personal security suite, which is free for the first year.

Yahoo, meanwhile, said it is currently working on a patch for the vulnerabilities.

"We recently learned of a buffer overflow security issue in an ActiveX control. This control is part of the code for webcam image upload and viewing. Upon learning of this issue, we began working towards a resolution and expect to have a fix shortly," said Terrell Karlsten, a Yahoo spokesman.

The critical vulnerabilities are the latest to hit Yahoo Messenger. Last April, Yahoo fixed a security flaw in its audio conferencing feature in its instant messenger.

And in December, Yahoo issued a security fix for its Messenger versions 5.0 through 8.0. That patch was designed to address a security flaw found in the ActiveX control, a component of Yahoo's services suite that typically downloads the Messenger installer.