[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <200610261423.k9QENWT8048984@mailserver3.hushmail.com>
Date: Thu, 26 Oct 2006 09:23:28 -0500
From: <cdejrhymeswithgay@...h.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>,
<ge@...uxbox.org>
Subject: Re: Yahoo! Messenger Service 18 Remote Buffer
Overflow Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 25 Oct 2006 04:30:18 -0500 Gadi Evron <ge@...uxbox.org>
wrote:
>>
>> Does anyone have more information on this issue?
>>
>
>Yes. SecuriTeam is currently assisting a researcher with reporting
>this
>issue to Yahoo! security.
>
>Yahoo! security responded in record time, as they often do, and
>are
>working to resolve this potential security vulnerability.
>
>An official report with full credit to the researcher who
>discovered it
>will be released when the incident has been resolved.
>
>A similar vulnerability was reported on the mailing lists a few
>months
>ago, which has not been fixed. SecuriTeam assisted the researcher
>and
>Yahoo! responded and fixed the issue in a matter of a day. Yahoo!
>are very
>capable with security vulnerabilities in their software.
>
>Thanks,
>
> Gadi.
>
>> ----snip----
>> http://www.securityfocus.com/bid/20625/discuss
>> Yahoo! Messenger is prone to a remote buffer-overflow
>vulnerability
>> because it fails to properly bounds-check user-supplied data
>before
>> copying it to an insufficiently sized memory buffer.
>>
>> This vulnerability allows remote attackers to execute arbitrary
>machine
>> code in the context of the affected application. Failed exploit
>attempts
>> will likely crash the server, denying further service to
>legitimate
>> users.
>>
>> Yahoo! Messenger 8 with Voice is vulnerable.
>> ----snip----
>>
>>
>> I could not find this vulnerability reported on any other place
>than
>> bugtraq (say Secunia, iDefense, ISC).
>>
>>
>> Thanks,
>>
>> - Siddhartha
>>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
So how fast is this "record time?" As fast as Hitler's Blitzkrieg
tactics? That's pretty fast!
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
wpwEAQECAAYFAkVAxOAACgkQsGS6s78KOsUFYgP9G7XHXYQvFrxyD7Bg7L+QXqAnfgiw
U8y4uD3M0jNJ6V+SwY5DZRPMOkAyRWHDRWh6okaLcVJf4e+urRroB8sAxfUZuHbI5EZd
wt9hCXlbTmRTNGp4cT7FQyPaVGN69xFcsjpFXfN2t8H73UWi1voJ6Ag1k5W8cPP0g4P3
AVhAf00=
=xmAy
-----END PGP SIGNATURE-----
Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists