Posted on macfixit:

Although mac os X has proven invulnerable (so far) to genuine, in-the-wild exploits that allow remote execution of arbitrary code, individual third-party applications can still suffer remote attacks that—while unable to take control of the system, nor gain user or root access—can cause said individual applications to crash.

Take, for instance, a flaw in Yahoo Messenger 3.0b1. As noted by US-CERT (United States Computer Emergency Readiness Team), the flaw allows arbitrary users to be added to buddy list without proper authorization.

Though US-CERT describes an older, now defunct variant of this bug, a similar (but unrelated, directly) flaw still exists in Yahoo Messenger 3.0b1 for mac os X.

As described:

“Yahoo! Messenger allows users to view content only from users on their buddy list. An attacker could craft a message to exploit this vulnerability and add arbitrary users to the victim’s buddy list. This message would have to be sent through Yahoo! servers, and could not be exploited peer-to-peer. [...] A remote user may be able to add users to the victim’s buddy list. This can create a vector of attack for other vulnerabilities that require the victim to accept content from the attacker.”

US-CERT describes a vector threat from this flaw—i.e. a user is added to your buddy list unintentionally, and said buddy attempts to send you potentially malicious data.

However, another aspect of this flaw allows an attacker to send false packets to user and force Yahoo Messenger to open new PM windows from contacts that don’t exist and bomb said person with hundreds of private message windows opening up causing client lag and eventual client disconnect from Yahoo! servers(...)

This entry was posted on Friday, August 11th, 2006 at 9:15 am and is filed under OS X Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.