Yahoo! Messenger is once again in the news for all the wrong reasons. This time it is a heap overflow in the webcam component. The news was apparently first exposed my McAfee in a blog post at http://www.avertlabs.com/research/blog/index.php/2007/08/14/potential-yahoo-messenger-zero-day/. A second post at http://www.avertlabs.com/research/blog/index.php/2007/08/15/more-on-the-yahoo-messenger-webcam-0day/ goes into more detail explaining that you shouldn’t accept unknown webcam invites and to possibly firewall port 5100. Security Focus has also issued an alert at http://www.securityfocus.com/bid/25330/info but they only classify is as a remote denial of service attack, far from the remote code execution heralded by McAfee. Security Focus reports that exploit code can be found at http://www.team509.com/expyahoo.rar.

When I hear that a new exploit may be on the market for Messenger the first thing I do is head over to Google News and see what the top Messenger stories are. For some reason I think this particular exploit may be getting the attention of a more generalized audience. Compared to the June 2007 exploit, the news reports appear to be more numerous and written in a more ominous tone. The thing that really caught my attention was the fact that more main stream media outlets are picking up on this story such as ABC (http://www.abcnews.go.com/Technology/PCWorld/story?id=3482490). Although this particular Yahoo! Messenger attack may not be any worse than the June exploit, Yahoo! may have a bigger public relations mess on their hands.