Ghosthunter
09-22-03, 01:11 PM
(7) MODERATE: Yahoo! ActiveX Control Overflows
Affected Products:
Internet Explorer (all versions) running the following Yahoo! ActiveX
controls:
"YInstStarter Class" and "Webcam Viewer Wrapper"
Yahoo! Messenger
Yahoo! Chat
Description:
ActiveX controls installed with Yahoo! Chat and Messenger (also may be
installed standalone) have been found to contain various buffer overflow
vulnerabilities. Specifically, the "Webcam Viewer Wrapper" ActiveX
control contains a flaw in handling overlong "TargetName" parameters
(this control is used by both Chat and Messenger). Also, the
"YinstStarter Class" ActiveX control mishandles data passed to the
"AppId" parameter (this control is installed when Yahoo! Messenger is
downloaded). These vulnerabilities can be exploited by a malicious web
server to execute arbitrary code on a client system with the privileges
of the user running the browser. The posted advisories explain how to
trigger the overflows.
Status: Vendor confirmed. Fixed versions of the Yahoo! ActiveX controls
are available.
Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary. One site
commented that Yahoo's chat servers are redirected to localhost within
their DNS. This action has effectively killed any desire to use the
product at their site.
References:
Postings by Cesar Cerrudo:
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/4025.html
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/4078.html
Secunia Advisory:
http://archives.neohapsis.com/archives/secunia/2003-q3/0601.html
ActiveX Controls Update:
http://messenger.yahoo.com/messenger/security/
SecurityFocus BID:
http://www.securityfocus.com/bid/8634
Affected Products:
Internet Explorer (all versions) running the following Yahoo! ActiveX
controls:
"YInstStarter Class" and "Webcam Viewer Wrapper"
Yahoo! Messenger
Yahoo! Chat
Description:
ActiveX controls installed with Yahoo! Chat and Messenger (also may be
installed standalone) have been found to contain various buffer overflow
vulnerabilities. Specifically, the "Webcam Viewer Wrapper" ActiveX
control contains a flaw in handling overlong "TargetName" parameters
(this control is used by both Chat and Messenger). Also, the
"YinstStarter Class" ActiveX control mishandles data passed to the
"AppId" parameter (this control is installed when Yahoo! Messenger is
downloaded). These vulnerabilities can be exploited by a malicious web
server to execute arbitrary code on a client system with the privileges
of the user running the browser. The posted advisories explain how to
trigger the overflows.
Status: Vendor confirmed. Fixed versions of the Yahoo! ActiveX controls
are available.
Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary. One site
commented that Yahoo's chat servers are redirected to localhost within
their DNS. This action has effectively killed any desire to use the
product at their site.
References:
Postings by Cesar Cerrudo:
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/4025.html
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/4078.html
Secunia Advisory:
http://archives.neohapsis.com/archives/secunia/2003-q3/0601.html
ActiveX Controls Update:
http://messenger.yahoo.com/messenger/security/
SecurityFocus BID:
http://www.securityfocus.com/bid/8634