A Denial of Service Exploit is going around
22/06/08 04:26 PM
Developers at Torseq Technologies have discovered 2 vulnerabilities in Yahoo Messenger Protocol in the form of a malformed “Add
Buddy” packet. As it stands, the vulnerabilies require a patch from Yahoo! in order to block the attacks.
Symptoms include the inability to complete the login process ie. looping disconnect - which eventually leads to the victims account being locked.
Support Staff have published 2 workarounds to end the loop using a series of easy to perform steps. One without YTK Pro, the other using YTK Pro’s Protocol reversion.
Without YTK Pro
With YTK Pro (works with Yahoo Messenger Builds 7.0.0.242 - 8.1.0.421)
Symptoms include the inability to complete the login process ie. looping disconnect - which eventually leads to the victims account being locked.
Support Staff have published 2 workarounds to end the loop using a series of easy to perform steps. One without YTK Pro, the other using YTK Pro’s Protocol reversion.
Without YTK Pro
- Log the affected ID into http://mm.yahoo.com
- Log into the WAP Messenger
- Click on the green link consisting of notifications.
- Deny the add buddy request. (If there's more than one exploit buddy request, click on Home and then click on any new notifications and deny any other buddy requests).
- Sign back into Messenger.
With YTK Pro (works with Yahoo Messenger Builds 7.0.0.242 - 8.1.0.421)
- Open YTK Pro + Yahoo! Messenger
- Sign in on the affected ID
- Hit Cancel before the Sign In occurs or simply Sign Out but do not close Yahoo! Messenger
- Open the "YTK Control Panel"
- Under Anti-Boot put a check mark in "Enable YMSG Protocol Reversion Messenger” and select YMSG version "12"
- Under Advanced Options make sure the "YMSG Server Selector" is set to "Let Messenger Choose"
- After Sign In is successful without a disconnection - Sign out of Yahoo! Messenger go to the YTK Control Panel, Anti-Boot and uncheck "Enable YMSG Protocol Reversion Messenger should connect and use YMSG version".
--
We had already reported the vulnerabilities to Yahoo but after numerous failed attempts to contact then we have decided to go public with this. Finally, we’ve taken other steps to get a vendor patch as soon as possible such as reported the vulnerabilities to security websites such as BugTraq.
Full write up here.
We will attempt to keep you as up to date as possible in our support forum.
A new 'Room Boot' is circulating!
21/10/07 10:04 PM
Warning!
A malicious exploit is circulating which exploits a vulnerability in the way Yahoo! Messenger parses various fields including 'Nickname' and 'Location' fields.
Update: YTK Pro Version 1.0 Beta Build 366 protects you from this vulnerability
Yahoo! Messenger 8.1.0.416 has been released
22/08/07 05:56 PM
Yahoo has released version 8.1.0.416 of its Yahoo! Messenger Program. It fixes a security vulnerability in Yahoo! Messenger Webcam Service. You can download this program by clicking the links in the download section of this website.
Yahoo! Messenger Webcam Vulnerability
17/08/07 06:00 PM
Contrary to advice issued by McAfee and our friends at Y!TunnelPro we're recommending that users reject webcam invites altogether (from both those you know and those you don't) until a patch has been 
released by Yahoo! Messenger Developers to resolve this issue which could allow a malicious user to remotely execute code on a victims machine. Our reason for advising this "best practice" is simple - who's to know that the sender of the invite isn't a compromised account which may lead you to believe that the invite is legitimate in the first place? Who is also to say that the sender of the webcam invite isn't already infected with an IM-Worm that propagates by sending malicious webcam invites to friends from their account unknowingly.
We never underestimate the bad guys... and we encourage you not to!
Here's a short video on how to block all webcam invites from within YTK Pro.
We never underestimate the bad guys... and we encourage you not to!
Here's a short video on how to block all webcam invites from within YTK Pro.