A hacker named "Danny" has released two zero-day ActiveX exploits for Yahoo Messenger's Webcam application.
The hacker released the exploits on the Full Disclosure mailing list early today and late last night.
The other vulnerability exists within the Yahoo Webcam Viewer ActiveX control and can also be exploited for a stack-based buffer overflow attack, according to Secunia, which ranked the flaws as "extremely critical," meaning they are unpatched, can allow remote code execution and exploits are in the wild.
The Ocean County, Calif.-based firm cautioned PC users that the flaws are "high" severity.
FrSIRT warned today that the vulnerabilities are "critical."
Yahoo spokesperson Terrell Karlsten said today that the company "began working towards a resolution and expect(s) to have a fix shortly."
Andrew Storms, director of security operations for nCircle, said today that one reason the flaws are dangerous is because instant messaging applications are widespread – and security professionals might not be aware how much so.
"The impact of this vulnerability is extensive because it could allow attackers to take complete control of a user’s system, and two public proof-of-concept exploits are available. This leaves many thousands of internet consumers at high risk," he said. "Enterprise users on Yahoo IM are particularly at risk because IM may not be a sanctioned application, but still be in wide use across networks. IT security teams must figure out where it is installed before they can take steps to protect the network."
Get more IT security news. Click here for SC Magazine Blogs.