The zero-day flaw was first published on Chinese security forums, but researchers at McAfee said this week that they recreated the flaw on Yahoo Messenger version 18.104.22.1683.
The vulnerability "seems like a classic heap overflow that can be triggered when the victim accepts a webcam invite," Wei Wang, a researcher at McAfee Avert Labs, blogged on Wednesday.
McAfee said it notified Yahoo’s security team about the issue, and advised users to decline webcam invites from untrusted sources and block outgoing traffic on TCP port 5100 until the Sunnyvale, Calif.-based web giant releases a patch.
Dave Marcus, security research and communications manager at McAfee Avert Labs, told SCMagazine.com that there are no wild exploits for the flaw.
"We’re not seeing anything past proof of concept (PoC) code, so we have no reports of exploitation in the wild, but I think it’s important enough to let people know that we are monitoring the situation," he said.
"The choice of Yahoo Webcam as something to develop exploits for [is intriguing], and I think that’s a result of researchers being quick to know what’s popular out there and looking for vulnerabilities to exploit in those popular applications."
A Yahoo representative could not immediately be reached for comment.
In June, Yahoo patched two vulnerabilities in Messenger’s ActiveX control that had been disclosed by a hacker offering PoC exploit code.
A researcher using the name "Danny" had released two zero-day ActiveX exploits for Messenger’s Webcam application on the Full Disclosure mailing list.
McAfee warns of Yahoo Messenger Webcam bug
By Frank Washkuch on Aug 17, 2007 9:57AM