Re: Team Asylum: Yahoo! Messenger DoS

[atruiz () CBU EDU (Alan T. Ruiz)]

I still see the same problem in build 734.

----- Original Message -----
From: Team Asylum <security () TEAM-ASYLUM COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Tuesday, September 28, 1999 8:08 PM
Subject: Team Asylum: Yahoo! Messenger DoS

> Team Asylum Security
> Copyright (c) 1999 By CyberSpace 2000
> http://www.team-asylum.com
> Source: Jason Pearsall [jason () team-asylum com]
> Alert Date: 09/18/99
> Release Date: 09/27/99
>
> Affected
> --------
> - Yahoo! Messenger (build 733) for Windows 95/98.
>
> Product Description
> -------------------
> Yahoo! Messenger is a multi-functional online IM client which offers
> not only instant messaging, but also content-driven features integrated
> into Yahoo!'s vast amount of information services such as stock market
> updates, e-mail, and news.
>
> Alert Description
> -----------------
> A denial of service attack exists in build 733 of Yahoo! Messenger.
> The vulnerability exists when Messenger leaves port 5010 open.  When
> a connection is made on port 5010, Messenger crashes.  The connection
> stays open until the user closes the program.
>
> Malicious users can not only crash Yahoo! Messenger users, but it also
> gives them the capability of scanning and detecting Messenger users
> across wide networks by simply scanning port 5010.
>
> Fix
> ---
> Team Asylum has notified Yahoo! and they have released build 734.
> Yahoo! Messenger (Build 734) still has port 5010 open but will not crash
> if connections are made unto it.
>
> Yahoo! Messenger can be found at:
>
> http://messenger.yahoo.com