A new vulnerability in Yahoo Messenger has been uncovered in the web chat component of the instant messaging application.

A memory error known as a 'heap overflow' can be triggered when a user accepts a specially crafted web chat invitation from the attacker, according to security firm McAfee.

It is not yet known whether an attacker would then be able to remotely execute code or cause a denial of service.

"Once the condition is induced, it depends on what your exploit code can do, " Dave Marcus, senior security strategist at McAfee, told vnunet.com.

McAfee said that the vulnerability was first spotted on a Chinese-language security board. The company then tested and verified the code, and passed it on to Yahoo.

Yahoo has yet to verify the flaw as a zero-day vulnerability, but McAfee said that it is definitely not related to the ActiveX flaw reported in June.

Marcus noted that no exploit code has yet been written to take advantage of the vulnerability, and there are no reports of the vulnerability being targeted by active attacks.

McAfee recommends Yahoo Messenger users to avoid accepting web chat invitations from unknown sources, regardless of whether they have a webcam installed or not.

No other applications are believed to be affected by the vulnerability.

See also:

Microsoft sets date for Xbox 360 Chatpad

New coloured controllers also on the way  17 Jul 2007

Security exchange trades zero-day flaws

Swiss laboratory launches marketplace for security research  05 Jul 2007

Yahoo rushes out IM patch

Release of exploit code for Messenger flaw stings internet portal  11 Jun 2007

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!