Multiple Vulnerabilities in Yahoo

[Mobo]

Yahoo! Messenger is "a free instant messaging service that you can use to communicate with other people who also use Yahoo! Messenger".

Yahoo! Messenger contains multiple vulnerabilities with the file transfer spoofing, and with audio setup wizard privilege escalation.

Vulnerable Systems:
* Yahoo! Messenger version 6.0.0.1750 (for Windows)

Immune Systems:
* Yahoo! Messenger version 6.0.0.1921 (for Windows) or newer

Audio Setup Wizard Privilege Escalation
Yahoo! Messenger contains a vulnerability which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to a combination of weak default directory permissions and the Audio Setup Wizard (asw.dll) invoking the "ping.exe" utility insecurely during the connection testing phase. This can be exploited to execute arbitrary code with the privileges of another user by placing a malicious "ping.exe" file in the application's "Messenger" directory.

Successful exploitation requires that a user runs the Audio Setup Wizard and that the application has been installed in a non-default location (not as a subdirectory to the "Program Files" directory).

File Transfer Filename Spoofing
Yahoo! Messenger wraps overly long filenames and shows only the first line of the filename in the file transfer dialogs. The file extension can thus be spoofed for a filename containing a whitespace and two file extensions.

Successful exploitation requires that the option "Hide extension for known file types" is enabled in Windows (default setting).

No update has been issued as of yet but watch for one in the very near future.