New zero-day vulnerabilities have been found in both AOL and Yahoo instant messaging products. According to ZDNet Blogs, this is the third major security hiccup found in Yahoo Messenger over the last few months.
An exploit code has been released for the hole in Yahoo Messenger, which allows an attacker to arbitrarily define any file to be downloaded by the victim. Remote execution is dependent on Internet Explorer settings.
The vulnerability in AOL Instant Messenger can be exploited to execute arbitrary script code in the Local Zone context. The exploit leverages upon improperly managed input that is passed in via the notification window.
There appears to be no workaround for the Yahoo flaw or recommendations for the Yahoo flaw at the moment. Perhaps it might be a good idea to set your Internet Explorer security settings to something more draconian until Yahoo releases a patch.
For AIM, Secunia recommends that users disable the “New IMs arrive” option in the “Notifications” settings until American Online ships a patch.
You know, perhaps it might not be such a good idea to have more than one IM software installed, as it simply increases one’s “area” as a target vector. How many IM software do you have installed on your PC?