Update: More on the Yahoo Messenger Webcam Zero-Day

i beleive that all people should trust each other ” on yahoo ” and open cams to each other no time to be selfish no time to say no because life is to short so open ur cam and lets have fun

Chet, we are amoungst Morons :-

Please people use common sence don’t view cams from those you don’t know……..Enough of that though………….WHEN is Yahoo going to fix the rest of the problems???? Hell you can’t even go to a chatroom

please advise when patch is redy for download thank you tommy grana

if you dont accept web cam so you want to chat with people you even dont know what he look like well thats good for us because we are ugly.

its ok as long as it is not money matter or is these another that they need your credit card

in the team509.com , I found the other two 0day , one about MSN messenger , he said it affect 7.x,8.0 ,MSN 8.1 have patched the vul , but why I can’t find Advisory in ms security bulletin, who can test it? I’m using MSN messenger 7.5 now , ;( .

The other one about MPC(media player classic), I test on my MPC, it worked, there is a patch for it?

there are the two links:
http://www.team509.com/modules.php?name=News&file=article&sid=50
http://www.team509.com/modules.php?name=News&file=article&sid=38

wowo thats great macfee is going to help yahoo!! coming to any company we all expernce a pit fall once and a while and its good that pple join in to help good job macafee

Obviously, Mr. Sam Wheat doesnot know the difference between a publicly released vulnerability information in a public forum like xfocus (do you even know how popular xfocus is in china and other places?) and paying for zero days and sponsoring zero days.
I believe that this blog is for technical discussions and keeping track of interesting trends and threats. So, if you have a personal dig at the author (Rahul) please contact him in person. Saves your time and others as well. (Why do i have a feeling that you are a representative of ZDI???)

Chill mate! You are missing the point completely here.

As regards the blog, Wei Wang good information for us. I shall keep track of this and please do inform the community in case you see any active exploitation on this issue. And yes i agree with the comments to people that we should never accept webcam invites….EVER!

Mr. Abrams,

Where I agree with you in practice, it is simply a fact that not everyone on yahoo or anywhere else is a technilogical expert. Although many on Yahoo! seem to think they are. Most users of chat are the every day “Joe.” They don’t know the difference between malicious code and a pornographic link sent to their Instant Message box. Most people will click on anything that pops up on their screen. Of course the proper advice would be for no one to accept ANYTHING even from so called “trusted” sources, because after all who can one trust on the Internet? But one has to be realistic in realising that there are going to be many out there who will accept even if they don’t know the person sending. The PROPER advice is to NOT accept ANY webcam invites. Period.

In a chatroom full of users you’ve never met before how can you EVER truly trust them? Whose to say that those you’ve met and spoken with in IM aren’t a part of a social engineering ploy. The proper advice is to reject cam invites until the threat is mitigated by a patch.

Wait a minute, is McAfee publicizing an unpatched zero-day issue here, thereby creating “hype and FUD by giving the world a chance to exploit” it? Quick, someone tell Rahul! I’m sure he’ll be incensed by McAfee’s irresponsible actions that put at risk the “Internet community at-large” who aren’t McAfee customers and are Yahoo Webcam users by arming up non-Chinese hackers who wouldn’t have heard of this.

I’m shocked that you would suggest it is ever a good idea to accept webcam invites from untrusted sources. The proper advice is not to accept webcam invites from untrusted sources at anytime. The release of a patch does not make dealing with untrusted sources a safe practice.

Randy Abrams
Director of Technical Education
ESET LLC