Yet another Yahoo zero-day attack hits the Web

Zero-day vulnerabilities in Yahoo products are not something novel and should be taken very seriously. Last year, we also saw a couple of ActiveX based vulnerabilities in Yahoo Messenger that are still exploited and incorporated into various web-based attack kits. One of the most prolific still is the Yahoo Webcam ActiveX Controls buffer overflow vulnerability .

Yahoo Music Jukebox is free music-management software that lets you play music files, burn CDs, and tune into your favorite Web radio stations. Within a day of the new Yahoo Jukebox zero-day being publicly disclosed on February 2, a fully working exploit was developed and widely circulated in various forums.

The first vulnerability is a stack-based buffer overflow in the overly long “url” parameter passed to the AddButton and AddImage functions in the YMP DataGrid ActiveX control (datagrid.dll).

The second vulnerability is a buffer overflow with a long “bitmapUrl” parameter passed to the AddBitmap function in the YMGMediaGridAx ActiveX control (mediagridax.dll).

This issue has been observed with Mediagridax.dll version 2.2.2.056 and datagrid.dll version 2.2.2.056, which are distributed as part of latest version of Yahoo Music Jukebox 2.2.2.056 and few older Yahoo Messenger versions.

A further temporary workaround for the problem would be to set the killbit for the offending ActiveX controls:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5F810AFC-BB5F-4416-BE63-E01DD117BD6C}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{22FD7C0A-850C-4A53-9821-0B0915C96139}

It could be only a matter of time until we see customized versions of these exploits make their way into the wild to be employed by malware authors to infect machines. McAfee customers have been protected from this threat since the 5223 DATS–as JS/Exploit-YahooGrid.