Yahoo Messenger Hole Found

A new vulnerability in Yahoo Inc.'s instant messenger program can potentially cause unwanted code to run on a PC, according to security researchers.

Details of the vulnerability were first posted on a Chinese-language security forum and was later confirmed with Yahoo security officials, wrote Wei Wang, a researcher with McAfee Inc.'s Avert lab in Beijing, on a company blog.

So far, no exploit code has been published, wrote Karthik Raman, also of McAfee.

The vulnerability affects Yahoo Messenger version 8.1.0.413. It is triggered when a user accepts an invitation to use their Web camera. The type of vulnerability is called a heap overflow, where a piece of code can be executed with improper permissions, which can allow for further malicious behavior such as downloading other code, said Greg Day, a security analyst for McAfee in the U.K.

McAfee is advising that people reject Web camera invitations until Yahoo issues a patch. Users can also block outgoing traffic on TCP port 5100, which is affiliated with program's operation, Day said.

Yahoo could not be immediately reached for comment.