A new vulnerability in Yahoo's instant messenger program can potentially cause unwanted code to run on a PC, according to security researchers.
Details of the vulnerability were first posted on a Chinese-language security forum and was later confirmed with Yahoo security officials, wrote Wei Wang, a researcher with McAfee's Avert lab in Beijing, on a company blog.
So far, no exploit code has been published, wrote Karthik Raman, also of McAfee.
The vulnerability affects Yahoo Messenger version 220.127.116.113. It is triggered when a user accepts an invitation to use their Web camera. The type of vulnerability is called a heap overflow, where a piece of code can be executed with improper permissions, which can allow for further malicious behaviour such as downloading other code, said Greg Day, a security analyst for McAfee in the UK.
McAfee is advising that people reject web camera invitations until Yahoo issues a patch. Users can also block outgoing traffic on TCP port 5100, which is affiliated with program's operation, Day said.
Yahoo could not be immediately reached for comment.
Find your next job with computerworld UK jobs