Yahoo! Messenger for Mac OS X vulnerable to remote buddy-add exploit

Although Mac OS X has proven invulnerable (so far) to genuine, in-the-wild exploits that allow remote execution of arbitrary code, individual third-party applications can still suffer remote attacks that -- while unable to take control of the system, nor gain user or root access -- can cause said individual applications to crash.

Take, for instance, a flaw in Yahoo Messenger 3.0b1. As noted by US-CERT (United States Computer Emergency Readiness Team), the flaw allows arbitrary users to be added to buddy list without proper authorization.

Though US-CERT describes an older, now defunct variant of this bug, a similar (but unrelated, directly) flaw still exists in Yahoo Messenger 3.0b1 for Mac OS X.

As described:

"Yahoo! Messenger allows users to view content only from users on their buddy list. An attacker could craft a message to exploit this vulnerability and add arbitrary users to the victim's buddy list. This message would have to be sent through Yahoo! servers, and could not be exploited peer-to-peer. [...] A remote user may be able to add users to the victim's buddy list. This can create a vector of attack for other vulnerabilities that require the victim to accept content from the attacker."

US-CERT describes a vector threat from this flaw -- i.e. a user is added to your buddy list unintentionally, and said buddy attempts to send you potentially malicious data.

However, another aspect of this flaw allows an attacker to send false packets to user and force Yahoo Messenger to open new PM windows from contacts that don't exist and bomb said person with hundreds of private message windows opening up causing client lag and eventual client disconnect from Yahoo! servers (see screenshot below).

Again, while this flaw will not allow an attacker to gain control of a remote system or place malicious files, it can cause a denial of service as far as Yahoo! Messenger is concerned.

Feedback? Late-breakers@macfixit.com.

Resources