Hacker Julien Ahrens says Yahoo! Messenger contains a remote code execution hole that the Purple Palace won’t fix.
The buffer overflow holes (CVE-2014-7216) will keep bleeding, Ahrens says, because Yahoo! has told him the relevant app is end-of-life and therefore low on Yahoo!‘s to-do list.
Yahoo! has been contacted for comment.
Exploiting the flaw relies on victims installing new emoticon packages, a vector Ahrens feels is a very live threat given instant messaging users are rather keen on new sets of smiley faces.
Those which install the corrupt emoticon package will hand attackers the same access rights they have. If the ruse fails Yahoo! Messenger will crash.
View full story