Collaboration

New zero-day flaws found in AOL, Yahoo IM

New zero-day vulnerabilities have been found in both AOL and Yahoo instant messaging products. <a href="http://blogs.zdnet.com/security/?p=523" target="_blank">According to ZDNet Blogs</a>, this is the third major security hiccup found in Yahoo Messenger over the last few months.

New zero-day vulnerabilities have been found in both AOL and Yahoo instant messaging products. According to ZDNet Blogs, this is the third major security hiccup found in Yahoo Messenger over the last few months.

An exploit code has been released for the hole in Yahoo Messenger, which allows an attacker to arbitrarily define any file to be downloaded by the victim. Remote execution is dependent on Internet Explorer settings.

The vulnerability in AOL Instant Messenger can be exploited to execute arbitrary script code in the Local Zone context. The exploit leverages upon improperly managed input that is passed in via the notification window.

There appears to be no workaround for the Yahoo flaw or recommendations for the Yahoo flaw at the moment. Perhaps it might be a good idea to set your Internet Explorer security settings to something more draconian until Yahoo releases a patch.

For AIM, Secunia recommends that users disable the "New IMs arrive" option in the "Notifications" settings until American Online ships a patch.

You know, perhaps it might not be such a good idea to have more than one IM software installed, as it simply increases one's "area" as a target vector. How many IM software do you have installed on your PC?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

7 comments
hodgese
hodgese

I hate to nit-pick, but it bugs me when a source is copied word-for-word but the phrase/sentence isn't put in quotes. Your phrase following "According to ZDNet Blogs" in the first paragraph is an exact quote from their article, but you didn't put quotation marks around it.

paulmah
paulmah

You know, the next time I get tempted, all I need to do is to think of you! Kidding. :) On a more serious note, it is a matter of personal pride for me NOT to "copy word for word" as you mentioned. What I try my utmost to do is to rehash/summarize/re-word (sometimes from a few sources) it into a quick yet informative read for you busy IT folks out there. In this case, I thought it would be a bit strange to have an excerpt right at the head of the article. Also, the original opening sentence from our sister site ZDNet could not have been clearer. As such, I went ahead and used it rather than changing it for its own sake. Appreciate the time taken to feedback to us though. It helps us to serve you better. Thanks!

paulmah
paulmah

How many IM software do you have installed on your PC?

eward
eward

I use meebo.com, which is a web-based client for yahoo, AIM, google chat and msn. I don't have any clients installed.

CharlieSpencer
CharlieSpencer

The one at work is Spark, configured for internal communications only and not beyond the firewall. This is our second attempt to determine if we can get any use out of IM internally. The first was with another client (I've forgotten which) three or four years ago. I don't think I've used it more than three times in two months, so it looks like we've still haven't found a use for it.

paulmah
paulmah

How many users do you have in your IM trial involving Spark? Are they from different physical locations, or from the same office? Just curious.

CharlieSpencer
CharlieSpencer

I can't be more specific because two sites are involved and I'm not sure how many are involved at the primary. I'm the only one at the secondary. Like the first trial, the participants are almost completely from the IT department. Peer message me if you'd like more details.

Editor's Picks