[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Yahoo! Messenger Service 18 Remote Buffer Overflow Vulnerability

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <ge@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Yahoo! Messenger Service 18 Remote Buffer Overflow Vulnerability
From: <cdejrhymeswithgay@xxxxxxxx>
Date: Thu, 26 Oct 2006 09:23:28 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 25 Oct 2006 04:30:18 -0500 Gadi Evron <ge@xxxxxxxxxxxx>
wrote:
>>
>> Does anyone have more information on this issue?
>>
>
>Yes. SecuriTeam is currently assisting a researcher with reporting

>this
>issue to Yahoo! security.
>
>Yahoo! security responded in record time, as they often do, and
>are
>working to resolve this potential security vulnerability.
>
>An official report with full credit to the researcher who
>discovered it
>will be released when the incident has been resolved.
>
>A similar vulnerability was reported on the mailing lists a few
>months
>ago, which has not been fixed. SecuriTeam assisted the researcher
>and
>Yahoo! responded and fixed the issue in a matter of a day. Yahoo!
>are very
>capable with security vulnerabilities in their software.
>
>Thanks,
>
>       Gadi.
>
>> ----snip----
>> http://www.securityfocus.com/bid/20625/discuss
>> Yahoo! Messenger is prone to a remote buffer-overflow
>vulnerability
>> because it fails to properly bounds-check user-supplied data
>before
>> copying it to an insufficiently sized memory buffer.
>>
>> This vulnerability allows remote attackers to execute arbitrary
>machine
>> code in the context of the affected application. Failed exploit
>attempts
>> will likely crash the server, denying further service to
>legitimate
>> users.
>>
>> Yahoo! Messenger 8 with Voice is vulnerable.
>> ----snip----
>>
>>
>> I could not find this vulnerability reported on any other place
>than
>> bugtraq (say Secunia, iDefense, ISC).
>>
>>
>> Thanks,
>>
>> - Siddhartha
>>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

So how fast is this "record time?" As fast as Hitler's Blitzkrieg
tactics? That's pretty fast!
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkVAxOAACgkQsGS6s78KOsUFYgP9G7XHXYQvFrxyD7Bg7L+QXqAnfgiw
U8y4uD3M0jNJ6V+SwY5DZRPMOkAyRWHDRWh6okaLcVJf4e+urRroB8sAxfUZuHbI5EZd
wt9hCXlbTmRTNGp4cT7FQyPaVGN69xFcsjpFXfN2t8H73UWi1voJ6Ag1k5W8cPP0g4P3
AVhAf00=
=xmAy
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Yahoo! Messenger Service 18 Remote Buffer Overflow Vulnerability
  - From: Gadi Evron

Prev by Date: [Full-disclosure] rPSA-2006-0195-2 kdelibs qt-x11-free
Next by Date: Re: [Full-disclosure] Vulnerability automation and Botnet "solutions" I expect to see this year
Previous by thread: Re: [Full-disclosure] Yahoo! Messenger Service 18 Remote Buffer Overflow Vulnerability
Next by thread: Re: [Full-disclosure] Yahoo! Messenger Service 18 Remote Buffer Overflow Vulnerability
Index(es):
- Date
- Thread