Secunia Reports New Vulnerability in Yahoo Messenger
A recent statement from Secunia, citing an independent security researcher, reveals that the Yahoo Messenger (YM) instant messaging application has developed a new vulnerability that could potentially allow hackers to carry out Denial of Service (DoS) attacks on victims’ computers.
The vulnerability arises from a flaw in the handling of certain messages. This weakness can be exploited to freeze the Yahoo! Messenger application on the user’s device through a spoofed message containing specially crafted “non-ASCII” characters.
Example of a spoofed message: s:[space]msg[alt+0160]:———————————————iframe onload=$InlineAction()>:)
Successful exploitation requires that the user has not configured YM to ignore “dangerous” contacts that are not included in their Messenger list.
Secunia has confirmed that this vulnerability exists in YM version 7.5.0.814, although other versions may also be affected. As of now, Yahoo has not made any comments regarding this vulnerability.
Solution: Configure Yahoo! Messenger to ignore users not included in the Messenger contact list.