May 28, 2002


In a post to Bugtraq on May 27, Phuong Nguyen of VICE Consulting
described a buffer overflow in Yahoo! Messenger (YIM). By sending
you an HTML e-mail or enticing you to a malicious Web site, a hacker
could exploit this buffer overflow to run malicious code on your
machine, possibly leading to full compromise of your system. There
is no direct impact on WatchGuard products. Administrators whose
clients use YIM should distribute the latest version of YIM as soon
as possible.


Yahoo! Messenger (YIM) is an instant messaging product similar to
ICQ, MSN Messenger and AOL Instant Messenger that allows you to chat
with individual "buddies" online. Despite its security drawbacks,
Instant Messaging (IM) software is growing in popularity as a means
of online communication. Some articles estimate that there are over
200 million instant messenger users.

In VICE Consulting's advisory
to Bugtraq, Phuong Nguyen describes a buffer overflow
found in an executable that ships with YIM. When installed, YIM adds
functionality to your Web browser to handle YIM-specific URLs. You
can recognize YIM-specific URLs because they begin with "ymsgr:"
rather than "http://". When you visit a YIM-specific URL, the
request is processed by the YIM executable rather than your Web
browser. Unfortunately, the YIM executable does not check the length
of the URL, which leaves the potential for a buffer overflow.

By enticing you to his malicious Web site or sending you an HTML e-
mail, any hacker could easily exploit this buffer overflow to crash
YIM. Furthermore, a skilled hacker could craft his malicious URL to
execute code on your system. This could result in a full system

The advisory also describes an issue that is more a social
engineering technique than a vulnerability. YIM uses something
called "Content Tabs" that are essentially tabs in YIM that link to
HTML pages. By default, YIM includes tabs leading to popular Web
sites that offer stock reports, weather and news. VICE consulting
found a method for adding custom Content Tabs to YIM with a
specially crafted URL. A hacker could exploit this to add a Content
Tab pointing to his malicious Web page. If a curious user clicked on
a Content Tab that points to a Web page containing the buffer
overflow described above, a hacker greatly increases his chances for
a successful attack.


Yahoo! has released an updated version of YIM to fix this issue. You
can download it here

WatchGuard does not recommend the use of Instant Messaging (IM)
clients in a business environment. Although they are fairly
convenient, IM clients are insecure. That said, remain aware that
your users might install these messaging clients on their own. Make
sure you educate your users on your IM policy and if you must use
these clients in your network, keep them up to date. For more on IM
insecurities, see our past Support Flash, "Is Instant Messaging
Sneaking into Your Network?"