Yahoo issues emergency patch on messaging software

Yahoo Inc. has rushed out an updated version of its popular instant messaging software after learning that a flaw in the software could let an attacker hijack a user's computer.

Versions of Yahoo Messenger for computers that run on Microsoft Corp.'s Windows operating systemand that were downloaded before June 8 are vulnerable to the flaw, discovered by eEye Digital Security of Aliso Viejo, Calif., about 80 kilometres south of Los Angeles.

Yahoo released its patch on Friday.

The vulnerability involves components of the software, which isused to stream data to other people from a user's webcam, according to eEye.

The files are used when transmitting video and audio from a webcam to or from
Yahoo Messenger users, but can be activated by any website, eEye said.

An attacker could log users out of their chat sessions, crash programs or even take control of the victim's computer by tricking them into visiting a specially crafted web page.

"What you'd be able to do is anything you want with the same level of access as the user" being attacked, Marc Maiffret, eEye's chief technology officer, told CBC News Online.

"This is similar to flaws we've seen targeting the actual desktop," Maiffret said. "Antivirus software won't work because there are no malicious files associated with it.

"It happens pretty instantaneously within a few seconds," Maiffret said of the attack, noting that most people wouldn't even realize that their computer has been attacked. "The most you would observe would be our Yahoo Messenger might crash. That wouldn't be enough to most people to indicate you've been compromised. Software crashes are pretty common."

Maiffret said that because most antivirus and security software is incapable of detecting this type of flaw, his company was offering a free version of its professional security software for home users, Blink Personal.

The tool can detect and prevent attacks of the type unpatched versions of Yahoo Messenger are vulnerable to, and collects anonymized data on attack attempts that eEye can analyzeto develop countermeasures, Maiffret said.

In a notice posted on its website, Yahoo saidthat over the next few weeks it would be alerting users of Yahoo Messenger about the security update when they sign on to the chat service.