MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

16Oct/150

Pawn Storm attack: Flash zero-day exploit hits diplomatic inboxes

Pawn Storm attack: Flash zero-day exploit hits diplomatic inboxes

Hackers behind a long-running cyber-espionage campaign have begun using a new Adobe Flash zero-day exploit in their latest campaign.

The attackers behind Pawn Storm targeted several foreign affairs ministries from around the globe using a Flash-based attack, Trend Micro reports.

The targets received spear phishing emails that contained links pointing towards sites hosting the exploit. These emails were themed so that they appeared to offer links to news analysis articles and pieces. Examples included “Syrian troops make gains as Putin defends air strikes” and “Israel launches air strikes on targets in Gaza”.

The URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted NATO members and the White House in April this year, security researchers at Trend micro note.

The Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207, based on the initial results of an ongoing analysis by security researchers from Trend Micro.

Trend Micro has notified Adobe about its discovery, with which it went public on Wednesday. In the meantime, Trend has updated its own enterprise security tools to block attacks targeting this particular software security hole.

Adobe released a scourge of vulnerability fixes for Reader and Flash on Tuesday, as part of its regular monthly patching cycle.

But these updates failed to plug the 0-day (CVE-2015-7645) abused by Pawn Storm, Adobe spokeswoman Heather Edell confirmed. Adobe expects to make a cross-platform update for this critical bug available during the week of 19 October.

More detail can be found in Adobe's holding statement. There is no workaround short of a patch so, as El Reg has repeatedly suggested, users should consider removing Flash altogether or at least enabling click-to-play in your browser so you only run Flash files you can trust.
Storm in a coffee cup

The Pawn Storm crew are innovators in the world of APT-style hacking and previously unknown software security holes. For example, the group used a Java zero-day in an earlier run of attacks.

Pawn Storm cyberspies are trying multiple strategies in their attempt to break into foreign affairs ministries. These efforts extend beyond the latest spear-phishing with Flash exploit malfeasance. Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These were used for simple, but extremely effective, credential phishing attacks.

“One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised,” Trend Micro reports. “This means that Pawn Storm has been intercepting incoming email to this organisation for an extended period of time in 2015.”

Fonte Ufficiale: http://www.theregister.co.uk/2015/10/15/pawn_storm_flash_0day_attack/
(488)

8Oct/150

Kemoge adware infects users in more than 20 countries

Kemoge adware infects users in more than 20 countries

Yet another adware campaign stemming from China has been identified, and in this fresh go, victims' Android devices can be completely taken over.

The Kemoge adware family, as FireEye calls it, is thought to originate in China. Its infections already span more than 20 countries, including the U.S. and Russia. The adware disguises itself as repackaged popular apps, including “Calculator,” “Talking Tom 3,” and “Smart Touch.” These apps are put on third-party app stores.

Although the infection is relatively typical, with the downloaded app first serving up annoying ads and then trying to gain root access, it does come with one especially new feature. After having gained root, the malware searches for antivirus (AV) software and purposefully seeks to uninstall or disable it.

Yulong Zhang, a FireEye research scientist, said in an interview with SCMagazine.com that this was the first time an adware group's been documented going directly for AV vendors in order to remain on a device.

Going back to the adware's technique for gaining root, once a user downloads a malicious app, the malware unpacks its disguised .zip file, which is protected by at least three layers of encryption. The perpetrators go to great lengths to keep their ultimate payload hidden.

The payload contains exploits for multiple Android devices, including Motorola and Samsung, Zhang said. The apps also don't ask for administrator privileges, although Zhang said users typically breeze through the permissions page anyway. Instead, it requests access to portions of the phone where it might be able to run a root exploit. The camera is one example, he said.

“There's no direct relationship between the description of a permission and its root exploit,” he explained. “It might access the camera, but there may be some vulnerability in the camera's library, and the app can obtain root by exploiting it.”

While these apps are all located on a third-party store, Zhang did point out that one of the malicious apps was designed by a developer whose products appear in the legitimate Google Play store. It doesn't necessarily mean any apps made it through to the real Android marketplace, but Zhang did caution that it's a possibility.

Although a malicious app might not be live now, it could have been in the past and then upgraded to a benign state.

Fonte Ufficiale: http://www.scmagazine.com/fireeye-identifies-new-adware-family/article/443726/
(434)

6Oct/150

Global nuclear facilities ‘at risk’ of cyber attack

Global nuclear facilities at risk of cyber attack

The risk of a "serious cyber attack" on nuclear power plants around the world is growing, warns a report.

The civil nuclear infrastructure in most nations is not well prepared to defend against such attacks, it added.

Many of the control systems for the infrastructure were "insecure by design" because of their age, it said.

Published by the influential Chatham House think tank, the report studied cyber defences in power plants around the world over an 18-month period.
Core breach

Cyber criminals, state-sponsored hackers and terrorists were all increasing their online activity, it said, meaning that the risk of a significant net-based attack was "ever present".

Such an attack on a nuclear plant, even if small-scale or unlikely, needed to be taken seriously because of the harm that would follow if radiation were released.

In addition, it said "even a small-scale cyber security incident at a nuclear facility would be likely to have a disproportionate effect on public opinion and the future of the civil nuclear industry".

Unfortunately, research carried out for the study showed that the UK's nuclear plants and associated infrastructure were not well protected or prepared because the industry had converted to digital systems relatively recently.

This increasing digitisation and growing reliance on commercial software is only increasing the risks the nuclear industry faces.

There was a "pervading myth" that computer systems in power plants were isolated from the internet at large and because of this were immune to the kind of cyber attacks that have dogged other industries.

However, it said, this so-called "air gap" between the public internet and nuclear systems was easy to breach with "nothing more than a flash drive". It noted that the destructive Stuxnet computer virus infected Iran's nuclear facilities via this route.

The story of Stuxnet

In 2009, a malicious computer program called 'Stuxnet' was manually uploaded into a nuclear plant in Iran.
The worm took control of 1,000 machines involved with producing nuclear materials, and instructed them to self-destruct.

What made the world's first cyber-weapon so destructive?

The researchers for the report had also found evidence of virtual networks and other links to the public internet on nuclear infrastructure networks. Some of these were forgotten or simply unknown to those in charge of these organisations.

Already search engines that sought out critical infrastructure had indexed these links making it easy for attackers to find ways in to networks and control systems.

Keith Parker, chief executive of the Nuclear Industry Association, said: "Security, including cyber security, is an absolute priority for power station operators."

"All of Britain's power stations are designed with safety in mind and are stress-tested to withstand a vast range of potential incidents," he added. "Power station operators work closely with national agencies such as the Centre for the Protection of National Infrastructure and other intelligence agencies to always be aware of emerging threats."

In addition, said Mr Parker, the industry's regulator continuously monitors plant safety to help protect it from any outside threats.

In June this year the International Atomic Energy Agency held its first international conference about the cyber threats facing plants and manufacturing facilities. At the conference Yukiya Amano, director of the IAEA, said both random and targeted attacks were being directed at nuclear plants.

"Staff responsible for nuclear security should know how to repel cyber-attacks and to limit the damage if systems are actually penetrated," he said in a keynote address to the conference.

The civil nuclear industry should do a better job of measuring cyber attack risks and improve the way it defends against them, according to Chatham House. Many plants examined by the report's researchers lacked preparedness for large-scale attacks that took place outside office hours.

"The nuclear industry is beginning - but struggling - to come to grips with this new, insidious threat," said Patricia Lewis, research director of Chatham House's international security programme.

Fonte Ufficiale: http://www.bbc.com/news/technology-34423419
(390)

25Sep/150

Security wares like Kaspersky AV can make you more vulnerable to attacks

Security wares like Kaspersky AV can make you more vulnerable to attacks

Antivirus applications and other security software are supposed to make users more secure, but a growing body of research shows that in some cases, they can open people to hacks they otherwise wouldn't be vulnerable to.

The latest example is antivirus and security software from Kaspersky Lab. Tavis Ormandy, a member of Google's Project Zero vulnerability research team, recently analyzed the widely used programs and quickly found a raft of easy-to-exploit bugs that made it possible to remotely execute malicious code on the underlying computers. Kaspersky has already fixed many of the bugs and is in the process of repairing the remaining ones. In a blog post published Tuesday, he said it's likely he's not the only one to know of such game-over vulnerabilities.

"We have strong evidence that an active black market trade in antivirus exploits exists," he wrote, referring to recent revelations that hacked exploit seller Hacking Team sold weaponized attacks targeting antivirus software from Eset.

He continued: "Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks. For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software. Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks."

As Ormandy suggested, the bugs he found in Kaspersky products would most likely be exploited in highly targeted attacks, such as those the National Security Agency might carry out against a terrorism suspect or spies pursuing an espionage campaign might carry out against the CEO of a large corporation. That means most people are probably better off running antivirus software than foregoing it, at least if their computers run Windows. Still, the results are concerning because they show that the very software we rely on to keep us safe in many cases makes us more vulnerable.

Kaspersky isn't the only security software provider to introduce bugs in their products. Earlier this month, security researcher Kristian Erik Hermansen reported finding four vulnerabilities in the core product marketed by security firm FireEye. One of them made it possible for attackers to retrieve sensitive password data stored on the server running the program. Ormandy has also uncovered serious vulnerabilities in AV software from Sophos and Eset.

In a statement, Kaspersky Lab officials wrote, "We would like to assure all our clients and customers that vulnerabilities publicly disclosed in a blogpost by Google Project Zero researcher, Mr. Tavis Ormandy, have already been fixed in all affected Kaspersky Lab products and solutions. Our specialists have no evidence that these vulnerabilities have been exploited in the wild."

The statement went on to say that Kaspersky Lab developers are making architectural changes to their products that will let them better resist exploit attempts. One change included the implementation of stack buffer overflow protection, which Ormandy referred to as "/GS" in his blog post. Other planned changes include the expansion of mitigations such as address space layout randomization and data execution prevention (for much more on these security measures see How security flaws work: The buffer overflow by Ars Technology Editor Peter Bright). Ormandy thanked Kaspersky Lab for its "record breaking response times" following his report.

Still, the message is clear. To perform, security software must acquire highly privileged access to the computers they protect, and all too often this sensitive position can be abused. Ormandy recommended that AV developers build security sandboxes into their products that isolate downloaded files from core parts of the computer operating system.

"The chromium sandbox is open source and used in multiple major products," he wrote. "Don't wait for the network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today."

Fonte Ufficiale: http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av-can-make-you-more-vulnerable-to-attacks/
(591)

24Sep/150

ARIN Finally Runs Out of IPv4 Addresses

ARIN Finally Runs Out of IPv4 Addresses

It is often said, "the Internet is running out of phone numbers," as a way to express that the Internet is running out of IPv4 addresses, to those who are unfamiliar with Internet technologies. IPv4 addresses, like phone numbers are assigned hierarchically, and thus, have inherent inefficiency. The world’s Internet population has been growing and the number of Internet-connected devices continues to rise, with no end in sight. In the next week, the American Registry for Internet Numbers (ARIN) will have exhausted their supply of IPv4 addresses. The metaphorical IPv4 cupboards are bare. This long-predicted Internet historical event marks opening a new chapter of the Internet’s evolution. However, it is somehow anti-climactic now that this date has arrived. The Internet will continue to operate, but all organizations must now accelerate their efforts to deploy IPv6.

ARIN IPv4 Address Exhaustion

The Internet Assigned Numbers Authority (IANA) delegates authority for Internet resources to the five RIRs that cover the world. The American Registry for Internet Numbers (ARIN) is the Regional Internet Registry (RIR) for the United States, Canada, the Caribbean, and North Atlantic islands. ARIN has been managing the assignment of IPv4 and IPv6 addresses and Autonomous System (AS) numbers for several decades. Each RIR has been managing their limited IPv4 address stores and going through their various phases of exhaustion policies. ARIN has been in Phase 4 of their IPv4 depletion plan for more than a year now. ARIN will soon announce that they have completely extinguished their supply of IPv4 addresses.

At this point, the rules for how address resources are allocated will change. Address resource applicants may not get their justified request fulfilled and might be offered a smaller block or the choice to be added to a waiting list. This page documents the process for the waiting list for unmet IPv4 address requests. To review the unmet resource policies, consult the Number Resource Policy Manual (NRPM), check out section 4.1.8. However, when the supply of IPv4 address space drops to 0.00000, then there will be no more addresses to allocate. If IPv4 addresses become available, then the policies in the NRPM will dictate that they are given out based on the Waiting List for Unmet Requests method.
IPv4 Exhaustion Predicted for Decades

Predictions of IPv4 depletion date back to the early 1990s. The IETF formed the Address Lifetime Expectations (ALE) Working Group in the mid-1990s to analyze the rate of IPv4 adoption in anticipation that this date would come. IPv4 address supply concerns was the primary reasons the IETF wanted to create a new version of the Internet Protocol (IP). The IETF IP Next Generation (IPng) working group started their work around that time and the first IPng was drafted around 1993. In those early days of the Internet, no one could have predicted the tremendous growth of the Internet. The IETF created Internet Protocol version 6 and finalized the header format with RFC 2460 in 1998. Each year as the IPv4 Internet grew at breakneck speeds, transition to IPv6 had become more and more daunting.
Prolonging IPv4’s Lifespan

As the Internet began to grow, techniques like Classless Interdomain Routing (CIDR) and Network Address Translation (NAT) were used to extended life-support for IPv4 for almost two decades. Now ISPs are looking at using Carrier Grade NAT (CGN)/Large Scale NAT (LSN) to further prolong the use of IPv4. However, many of these multi-NAT techniques cause problems for many popular Internet applications. We can expect that there will be other techniques contrived to keep the much-loved IPv4 protocol running for decades to come.

No End in Sight for IPv4

Few organizations are thinking about when they may eventually stop using IPv4. Some enterprise organizations have not given IPv6 much thought and are not aggressively moving to implementing it. Organizations will not be able to transition right from using IPv4 to using IPv6 directly. The dual-stack transition technique is the dominant transition strategy (tunnels are to be avoided when possible). In other words, organizations are encouraged to use native IPv6.

Even if an organization starts to deploy IPv6 immediately, they will still require the use of IPv4 for years to come. IPv6 may not have a large impact on an organization’s near-term IPv4 address constraints. Those few enterprise organizations are playing a dangerous "game of chicken" by ignoring IPv6. While, there are techniques for prolonging the lifespan of IPv4, organizations may end up with limited options. Going forward, organizations that require additional IPv4 addresses will need to request them from their service provider (provided they have any addresses left to lease) or purchase them on the open market. As IPv4 address blocks get traded around and split up, we can expect the Internet routing tables to become increasingly fragmented.

Organizations that deploy IPv6 will be living in a dual-stack world for many years. During that period of using both IPv4 and IPv6 in parallel, organizations will likely incur increased operating expenses. Gradually, over time, the cost of running an IPv4 network will increase.
Now What? Move to IPv6!

So now that this Internet historic date of ARIN’s IPv4 run-out has arrived, we should review what our own organizations are doing to plan for the next phase of the Internet’s lifespan.

Internet Service Providers (ISPs) should already be well on their way through their IPv6 deployments. If you work for an ISP that has not yet started your IPv6 deployment then you are in serious danger of falling far behind your competitors.

If you are an enterprise organization, then your plans for the future need to be quickly defined and put into action. Your organization no longer has the option to continue to ignore IPv6. However, your organization may be planning to invest in purchasing additional IPv4 addresses. Your organizations will be forced to tolerate the use of multiple-layers of NAT and the application problems that come with it. Your organization will be forced to invest in larger Internet routers to be able to handle the rapidly expanding IPv4 Internet routing tables. Your organization should be planning for future years of legacy IPv4-Internet connectivity and actively moving toward full deployment of IPv6.

If your organization is one of those that waited to embrace IPv6, then you are in luck, as there are plenty of resources available to help you with your IPv6 planning and deployment. While Wikipedia.org can get you started learning the basics, you should visit the Internet Society Deploy360 Programme IPv6 page. You should also explore ARIN’s own Get6 site. We wish you the best of luck configuring your systems so you can reach the "whole Internet" using IPv6 and not just the "old Internet" using IPv4.

Fonte Ufficiale: http://www.networkworld.com/article/2985340/ipv6/arin-finally-runs-out-of-ipv4-addresses.html
(631)

22Sep/150

Apple’s App Store infected with XcodeGhost malware in China

Apple's App Store infected with XcodeGhost malware in China

Apple has said it is taking steps to remove malicious code added to a number of apps commonly used on iPhones and iPads in China.

It is thought to be the first large-scale attack on Apple's App Store.

The hackers created a counterfeit version of Apple's software for building iOS apps, which they persuaded developers to download.

Apps compiled using the tool allow the attackers to steal data about users and send it to servers they control.

Cybersecurity firm Palo Alto Networks - which has analysed the malware dubbed XcodeGhost - said the perpetrators would also be able to send fake alerts to infected devices to trick their owners into revealing information.

It added they could also read and alter information in compromised devices' clipboards, which would potentially allow them to see logins copied to and from password management tools.

Infected applications includes Tencent's hugely popular WeChat app, NetEase's music downloading app and Didi Kuaidi's Uber-like car hailing app.

Some of the affected apps - including the business card scanner CamCard - are also available outside China.

"We've removed the apps from the App Store that we know have been created with this counterfeit software," said Apple spokeswoman Christine Monaghan.

"We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps," said Christine Monaghan.

On its official WeChat blog, Tencent said the security issue affected an older version of its app - WeChat 6.2.5 - and that newer versions were not affected.

It added that an initial investigation showed that no data theft or leakage of user information had occurred.

In Apple's walled garden App Store, this sort of thing shouldn't happen.

The company goes to great lengths, and great expense, to sift through each and every submission to the store. Staff check for quality, usability and, above all else, security.

The Apple App Store is generally considered a safe haven as the barrier to entry is high - there's only been a handful of instances of malware found on iOS apps, compared to Google's Play store which for a while was regarded as something of a "Wild West" for apps (until they introduced their own malware-scanning system too).

It makes this attack all the more surprising, as it looks like two groups of supposedly informed people have been caught out.

Firstly developers, who security researchers say were duped into using counterfeit software to build their apps, creating the right conditions for the malware to be applied.

And secondly, Apple's quality testers, who generally do a very good job in keeping out nasties, but in this case couldn't detect the threat.

Fonte Ufficiale: http://www.bbc.com/news/technology-34311203
(601)

21Sep/150

Two-week-old WordPress malware attack is blossoming into a real threat

Two-week-old WordPress malware attack is blossoming into a real threat

MALWARE DETECTING, preventing and protecting company Sucuri has warned the world about a problem in WordPress that is two weeks into the threat charts already and is rising rapidly.

The malware is called VisitorTracker, and its aim should be self-explanatory. Sucuri said that incidents of infection have had a sharp uptick in recent days, and the firm - which reported on it just two weeks ago - hopes that its reprise and update of the information will inform WordPress and encourage it to take action to mitigate the problem.

"We initially shared our thoughts on it via our SucuriLabs Notes, but as the campaign has evolved we have been able to decipher more information as we investigate the effects on more compromised sites," explained Sucuri CTO Daniel Cid in a blog post.

"This post should serve as a resource to help WordPress administrators (i.e. webmasters) in the WordPress community."

It may well do. The information suggests an evolving and interesting malware system that Cid said could be used to trick web users into trusting the most devious of webpages.

"This malware campaign is interesting. Its final goal is to use as many compromised websites as possible to redirect all their visitors to a Nuclear Exploit Kit landing page. These landing pages will try a wide variety of available browser exploits to infect the computers of unsuspecting visitors," he said.

"If you think about it, the compromised websites are just a means for the criminals to get access to as many endpoint desktops as they can. What's the easiest way to reach out to endpoints? Websites, of course."

Sucuri added that it is trying to trace down an access point, but that it might be one of any of the many plugins that are released for the platform.

"We detected thousands of sites compromised with this malware just today and 95 percent of them are using WordPress. We do not have a specific entry point determined yet, but it seems to be a campaign targeting the latest vulnerabilities in plugins," the firm said.

"Out of all the sites we detected to be compromised, 17 percent of them already got blacklisted by Google and other popular blacklists."

Fonte Ufficiale: http://www.theinquirer.net/inquirer/news/2426659/two-week-old-wordpress-malware-attack-is-blossoming-into-a-real-threat
(495)

17Sep/150

Lock screen flaw found in Android

Lock screen flaw found in Android

A security flaw in Android that lets people bypass the lock screen on a mobile device has been discovered by researchers at the University of Texas.

They found that trying to unlock the phone or tablet with an abnormally long password caused the lock screen to crash in certain conditions.

The flaw was limited to Android Lollipop, the most recent version of the mobile operating system.

Google issued a patch for its Nexus devices on Wednesday.

About 21% of Android users run affected versions of the operating system.

After crashing the lock screen, the researchers were able to access the phone's data and apps.

The vulnerability could not be exploited if people had chosen a lock pattern or Pin code instead of a password.

While Google is rolling out its fix for Nexus, other phone manufacturers are responsible for distributing the software to their own handsets.

On releasing the patch, Google said it had not yet detected anybody exploiting the flaw.

Fonte Ufficiale: http://www.bbc.com/news/technology-34268050
(508)

11Sep/150

North Korea exploits 0-day in Seoul’s favourite word processor

North Korea exploits 0-day in Seoul's favourite word processor

FireEye researchers Genwei Jiang and Josiah Kimble say attackers from North Korea exploited a zero day vulnerability in a word processor popular with the South Korea's government.

The attackers went after the vulnerability (CVE-2015-6585) in the Hangul Word Processor prior to a patch issued last Monday.

Accurate attribution of North Korean actors is inherently difficult, however Jiang and Kimble say the attack payloads and infrastructure strongly point to the North. There is no suggestion of Pyongyang's involvement.

"While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye intelligence assesses that this activity may be associated with North Korea-based threat actors," the pair say in an advisory (PDF).

Attackers use a backdoor dubbed Hangman that can receive and send encrypted files and commands and gather system intelligence. Those backdoor samples point to one of the same command and control infrastructure used in a known North Korea attack in June dubbed "Macktruck".

Moreover, the backdoor functions are seen in little else than other backdoor dubbed PeachPit which is pinned on North Korean-based attackers.

"This implies that PeachPit and Hangman were written by the same developers or, at minimum, share some of the same source code. Given that we have observed only limited use of backdoors such as PeachPit, it is reasonable to theorise that in addition to a common development history, the backdoors may be used by the same or closely related threat actors."

While the pair make no mention of intent, it is reasonable to expect the attackers sought access to Seoul government systems or those used by its contractors who are popular adopters of the Hangul Word Processor.

Attacks from the North against South Korea are commonplace. Many outside observers say the North is at an advantage because its internet infrastructure is so small while its target's attack surface is much larger.

Reports suggest the North Korea Government rewards its Bureau 121 hackers handsomely. That unit said to number 1800 staff is fingered for the devastating attack on Sony Pictures.

Fonte ufficiale: http://www.theregister.co.uk/2015/09/10/north_korea_exploits_zero_day_in_seouls_favourite_word_doc/
(575)

11Sep/150

Yahoo! won’t! fix! emoticon! exploit! in! death! row! Messenger!

Yahoo! won't! fix! emoticon! exploit! in! death! row! Messenger!

Updated Hacker Julien Ahrens says Yahoo! Messenger contains a remote code execution hole that the Purple Palace won't fix.

The buffer overflow holes (CVE-2014-7216) will keep bleeding, Ahrens says, because Yahoo! has told him the relevant app is end-of-life and therefore low on Yahoo!'s to-do list.

Yahoo! has been contacted for comment.

Exploiting the flaw relies on victims installing new emoticon packages, a vector Ahrens feels is a very live threat given instant messaging users are rather keen on new sets of smiley faces.
Those which install the corrupt emoticon package will hand attackers the same access rights they have. If the ruse fails Yahoo! Messenger will crash.

Here's how Ahrens explains the mess:

The application loads the content of the file emoticons.xml from two different directories when a user logins to determine the available emoticons and their associated shortcuts … but the application does not properly validate the length of the string of the shortcut and title key values before passing them as an argument to different lstrcpyW calls.

This leads to a stack-based buffer overflow condition, resulting in possible code execution.
Ahrens claims Yahoo! sat on the bug since he first disclosed it May last year, then approved his public disclosure last month after saying it will not fix the hole.

Ahrens quotes US government industry think tank MITRE as saying the emoticon package would normally be excluded from receiving a CVE vulnerability number but was given one because of an "existence proof that third parties actually do offer sets of emoticon files" and that "Yahoo! Messenger users actually do copy these" to the required directories.

Ahrens also took a swipe at Yahoo!'s bug bounty program, which declined to send him a cheque for finding this flaw, despite - on his arguments - Yahoo! Messenger is explicitly covered in the company's terms and conditions.

Update Yahoo!'s been in touch to say it "takes the security of our users very seriously, and as soon as we learned of this potential vulnerability, our team responded immediately to the security researcher and began an investigation. As the security researcher noted himself, 'exploitation [of this vulnerability] might be tricky,' and would take significant additional technological hurdles."

"Upon extensive investigation by our team," the spokesentity continued, "we’ve determined that this vulnerability is not easily exploitable, requiring users to actively install unsupported 3rd-party software into Messenger, and does not present a viable security threat to our users. We’ll continue to work with our thriving bug bounty community to ensure the most secure experience possible for our users.”

Fonte ufficiale: http://www.theregister.co.uk/2015/09/10/yahooii_wontii_fixii_emoticonii_exploitii_inii_deathii_rowii_messengerii/
(429)