Security threats Toolkit

Yahoo fixes Messenger transfer flaw

Munir Kotadia ZDNet.co.uk

Published: 12 Jan 2004 12:45 GMT

A serious security bug in Yahoo's Instant Messenger, which could cause a buffer-overflow error and leave users' machines open to malicious code, was finally repaired on Thursday.

A buffer overflow occurs when an application receives a string of data that is too long for it to handle. This leaves the sender of that data string in a position to load the buffer with another value, allowing malicious code to be executed instead of the original program. In this case, the error affected versions 5.6.0.1351 and earlier of Yahoo's IM client software, and was triggered when a user downloaded a file with a name that was a specific number of characters in length. A server-side fix means that users will not have to upgrade their software.

Tri Huynh, a security consultant based in Massachusetts, who claims to have discovered the problem two months ago, told ZDNet UK that the bug posed serious problems because of the ease with which PCs could be infected. "This is highly critical. When you get sent a file and you save it, you don't even need to open the file for the overflow to happen," he said.

A Yahoo spokeswoman told ZDNet UK that the company had fixed the bug in their server software on Thursday. "Upon learning of this issue, we immediately began working towards a resolution and implemented a server-side fix early on Thursday morning, eliminating the need for users to download a patch or a new version of Yahoo Messenger," she said. "We are not aware of any active exploits that have affected our users."

This is the second buffer-overflow bug that has been reported in Yahoo's popular instant messenger program in less than a month.