In the second incident in the past week, Yahoo has patched another security flaw in its popular Yahoo Messenger client.
However, exploiting this one requires that an interloper carry out a two-stage attack so to my mind, it's a little less critical than the last one.
That's not to say there aren't black hat hackers/cackers out there who are plenty sophisticated enough to execute multiple exploit programs in a row just to break into your PC. But given that there are so many PCs out there that aren't up to date with patches for existing single-step exploits, why go to all that extra work? We'll get to that point soon enough ? as the easy holes get plugged, the bad guys will seek out more difficult exploits. It's a pattern we've seen before.
That said -- it's always a good idea to stay up to date with patches. But sometimes there's a certain balancing act between making sure you're protected and waiting to be sure an update doesn't cause problems of its own. Unless there is a zero-day attack going around, I typically will watch the blogs and forums for a day or two after, for example, a Microsoft "Patch Tuesday" drop because sometimes a patch may have unpleasant side effects.
That is, I have automatic updates set to download patches but to let me decided when to install them. It's often inconvenient to install the patches when they first arrive ? I often have multiple applications open working on several stories at once and it's often recommended to shut down other applications when installing updates. .
In this case, there have been no attacks in the wild, the patch has been out for a day or so without any reports of problems, and it's a complicated attack scenario.
This particular update fixes a problem in an ActiveX control that is part of Yahoo Messenger referred to as "Get Version Info" ? you can guess what it does. Like a large number of attack avenues, this one, at its heart, revolves around a classic "buffer overflow" vulnerability.
Buffers are used in all kinds of situations in programming. They do what their name implies ? they hold data until it's needed. It's an incredibly useful programming device that can be applied to lots of things in the digital world. For instance, in a really simplistic description, buffers are responsible for you being able to type on a keyboard and have the letters appear on your display. They're also used to hold the stream of bits playing back from an MP3 file on your computer's speakers as each bit waits its turn to be played. But they can also be used to do things like, say, count to 100 or temporarily store a subresult of a complex mathematical calculation.
But like a bowl you're pouring water into, you want to make sure that the buffer doesn't overflow with information. You watch the water approach the bowl's rim and stop pouring. If not, it spills over onto the counter. A buffer overflow is possible when there is no chunk of code sitting there watching to make sure the same thing doesn't occur with the data destined for that particular buffer.
When the buffer malfunctions, it leaves the door open for the attacker's program to assume control of the entire system.
In this case, however, the malicious attacker would first have to carry out a "cross-site scripting" exploit, in order to get into a position where it could execute the buffer overflow exploit.
The hole was first discovered by iDefense.
Here's what iDefense's description says about the cross-site vulnerability:
"It is important to note that functions within this class can only be called if the control believes it is being run from the yahoo.com domain. In order for this exploit to be triggered an attacker would either have to leverage a Cross-Site Scripting vulnerability in the yahoo.com domain, or be able to control the targeted user's DNS resolution for the domain."
So how could you get attacked? According to Yahoo's Security Advisory, by clicking on a booby-trapped hyperlink, as usual.
I should note that this is the third patch that Yahoo has put out for its Messenger client since June 11. But to be fair, they've also been pretty timely in fixing critical security holes. For instance, this one was reported to Yahoo on August 21, according to iDefense's log, and the patched update was released on August 29 -- note that it was "disclosed" on August 30.
If you installed your copy of Yahoo Messenger prior to August 29, you're at risk. You can get the update and more information here.
