Yahoo! chat bug gives scope for mischief
Remote disconnect risk
Security researchers have discovered a denial of service vulnerability involving Yahoo!'s popular instant messaging client. Hackers can potentially disconnect users from chat sessions by sending malformed packets to Yahoo! Messenger servers. The flaw stems from a glitch in processing routines used to process URL handler links, as explained in a SecuriTeam advisory (containing "proof of concept" demos) here.
The bug affects Yahoo! Messenger versions 5.0 and 6.0. Yahoo! is yet to issue a patch. But don't panic: although the flaw provides plenty of scope for mischief it doesn't by itself offer a way to take over vulnerable systems. SecuriTeam's suggested workaround - involving editing Registry setting - ought to be treated with caution since bungling this process can leave novices with an inoperable machine. Less experienced PC users might do better to wait for a patch from Yahoo! rather than fiddling around under the bonnet of their PCs. ®