Security researchers have discovered a denial of service vulnerability involving Yahoo!'s popular instant messaging client. Hackers can potentially disconnect users from chat sessions by sending malformed packets to Yahoo! Messenger servers. The flaw stems from a glitch in processing routines used to process URL handler links, as explained in a SecuriTeam advisory (containing "proof of concept" demos) here (http://www.securiteam.com/windowsntfocus/5HP0H20FPE.html).

The bug affects Yahoo! Messenger versions 5.0 and 6.0. Yahoo! is yet to issue a patch. But don't panic: although the flaw provides plenty of scope for mischief it doesn't by itself offer a way to take over vulnerable systems. SecuriTeam's suggested workaround - involving editing Registry setting - ought to be treated with caution since bungling this process can leave novices with an inoperable machine. Less experienced PC users might do better to wait for a patch from Yahoo! rather than fiddling around under the bonnet of their PCs. ®

Related stories

Yahoo! IM! in! flaw! flap! (http://www.theregister.co.uk/2004/01/13/yahoo_im_in_flaw_flap/)
Yahoo! fixes Web mail vuln (http://www.theregister.co.uk/2003/12/11/yahoo_fixes_web_mail_vuln/)
Latest MyDoom hunts victims via Yahoo! (http://www.theregister.co.uk/2004/08/04/mydoom_targets_yahoo/)
Yahoo! has minimal spyware, adware revs streams (http://www.theregister.co.uk/2005/05/04/yahoo_has_minimal_spyware_adware_revenues/)