McAfee Avert Labs talks about a security flaw in Yahoo Messenger

McAfee Avert Labs has revealed that there is a zero-day vulnerability in Yahoo Messenger.

They noticed this flaw after reading about it on a Chinese-language security forum on Tuesday.

They researched further and managed to reproduce the vulnerability on Yahoo Messenger.

The team said that the flaw might allow for code-execution attacks. However, there is no report of an exploit being made available online yet.

Wei Wang, a security researcher at McAfee wrote about this bug on the company blog: “It seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite. Note that this vulnerability is different from the recently patched one in June which exploited the Yahoo webcam ActiveX controls.”

Michael Sutton, a security evangelist at SPI Dynamics added his views on this latest bug discovery: “The latest Yahoo IM vulnerability is a perfect example of a serious client-side vulnerability that leaves millions of unsuspecting users vulnerable to attack. Fortunately, we have not heard of widespread attacks using this attack vector, nor have we seen publicly available exploit code. Hopefully Yahoo will move quickly and push a patch down to all IM clients in order to mitigate this threat.”

Checkout: Yahoo Messenger