Here’s a scary thought: Yahoo Messenger getting hit with 9 zero-day exploits.  It’s very rare to hear about applications that have that many simultaneous zero-day exploits.  For those of you who are unfamiliar with the term, ‘zero-day’ simply means the fact that there are vulnerabilities which recently do not have any patches to fix them.  Honestly, with that many zero-day exploits currently published, I would probably stay away from using such a messaging service until these problems get resolved.

Attack code that targets Yahoo Messenger has been published on the Internet, a security researcher warned Wednesday, marking the ninth exploit aimed at the popular instant messaging software so far this year.

In a posting to the milw0rm.com Web site, someone identified as “shinnai” disclosed malicious Visual Basic code that allegedly lets attackers feed any file to users of the latest version of Messenger. The exploit code successfully executes on a fully-patched PC running Windows XP SP2, shinnai said, although the effect depends on the security settings of Internet Explorer (IE).

According to an e-mail alert from nCircle Network Security Inc., hackers armed with the exploit could force-feed malware such as a Trojan horse to vulnerable users. It was nCircle that pegged the latest zero-day threat against Messenger as No. 9 for the year.

IE’s security, however, can mitigate an attack. Users running the newer IE 7 with default security settings will probably be protected.

“This latest exploit is another data point in the strong trend toward IM client attacks,” said Andrew Storms, nCircle’s director of security operations. “IM vendors jockeying for market share are trying to lure new users with new features that also open up new risks to end users.”[more]

Tags: Other