Yahoo issued an emergency patch on Thursday, after a company spokesperson's description of two flaws in Yahoo Messenger 8 apparently gave a security researcher enough information to quickly develop exploits for the vulnerabilities.
On Tuesday, security firm eEye Digital Security announced that it had discovered two vulnerabilities in the software, but did not disclose the details. The next day, a Yahoo representative -- quoted in an article in Information Week -- described the flaws as buffer overflows in the ActiveX control responsible for "Web cam image upload and viewing."
The description of the vulnerability was apparently enough to allow a researcher to find the flaws through 45 minutes of fuzzing. A vulnerability researcher using the name "Danny" released proof-of-concept exploits for both issues on the Full-Disclosure mailing list, linking to the Information Week article.
Yahoo released a patch for the issue on Thursday.
"For this specific security issue, these impacts (executing code) could only be possible if an attacker is successful in prompting someone to view malicious HTML code, most likely executed by getting a person to visit their web page," the company said in its advisory.
A nod to Ryan Naraine at ZDNet's Zero Day blog for a timeline of events.
Posted by: Robert Lemos