McAfee Avert Labs has uncovered a new zero-day in Yahoo Messenger Webcam and are warning people not to accept invites from people they don"t trust until a patch is out. Avert Labs is calling this a "classic heap overflow" that can be triggered when a victim accepts a webcam invitation. The issue was first discovered when it was reported on security forums in China. Avert Labs notes in a blog posting that this problem is not the same as the one Yahoo patched in Juneāthat earlier vulnerability had to do with a buffer overflow in Yahoo Webcam ActiveX controls.
Besides eschewing invites from strangers, Avert Labs is also advising Messenger users to block outgoing traffic on TCP port 5100 until Yahoo patches the hole. McAfee has added signatures to its NIPS IntruShield to protect its customers who use Messenger.