Updated Hacker Julien Ahrens says Yahoo! Messenger contains a remote code execution hole that the Purple Palace won't fix.
The buffer overflow holes (CVE-2014-7216) will keep bleeding, Ahrens says, because Yahoo! has told him the relevant app is end-of-life and therefore low on Yahoo!'s to-do list.
Yahoo! has been contacted for comment.
Exploiting the flaw relies on victims installing new emoticon packages, a vector Ahrens feels is a very live threat given instant messaging users are rather keen on new sets of smiley faces.
Those which install the corrupt emoticon package will hand attackers the same access rights they have. If the ruse fails Yahoo! Messenger will crash.
Here's how Ahrens explains the mess:
The application loads the content of the file emoticons.xml from two different directories when a user logins to determine the available emoticons and their associated shortcuts … but the application does not properly validate the length of the string of the shortcut and title key values before passing them as an argument to different lstrcpyW calls.
This leads to a stack-based buffer overflow condition, resulting in possible code execution.
Ahrens claims Yahoo! sat on the bug since he first disclosed it May last year, then approved his public disclosure last month after saying it will not fix the hole.
Ahrens quotes US government industry think tank MITRE as saying the emoticon package would normally be excluded from receiving a CVE vulnerability number but was given one because of an "existence proof that third parties actually do offer sets of emoticon files" and that "Yahoo! Messenger users actually do copy these" to the required directories.
Ahrens also took a swipe at Yahoo!'s bug bounty program, which declined to send him a cheque for finding this flaw, despite - on his arguments - Yahoo! Messenger is explicitly covered in the company's terms and conditions. ®
Update Yahoo!'s been in touch to say it "takes the security of our users very seriously, and as soon as we learned of this potential vulnerability, our team responded immediately to the security researcher and began an investigation. As the security researcher noted himself, 'exploitation [of this vulnerability] might be tricky,' and would take significant additional technological hurdles."
"Upon extensive investigation by our team," the spokesentity continued, "we’ve determined that this vulnerability is not easily exploitable, requiring users to actively install unsupported 3rd-party software into Messenger, and does not present a viable security threat to our users. We’ll continue to work with our thriving bug bounty community to ensure the most secure experience possible for our users.”