Hackers Exploit Yahoo Music Jukebox Errors
Two critical flaws were recently detected in the Yahoo Music Jukebox YMP Datagrid and the Yahoo Mediagrid Active X controls, which contain multiple stack buffer overflow vulnerabilities, according to a U.S. Computer Emergency Readiness Team warning posted Tuesday on the agency's Web site.
The errors, deemed extremely critical by Secunia's vulnerability tracking service, could allow a remote hacker to gain unauthenticated entry into affected systems by enticing an unsuspecting user into viewing a specially crafted Web page or HTML e-mail message. Malicious code could then be executed on the affected system that would allow attackers to have remote access with the privileges of an authenticated user, according to the U.S. CERT warning.
Security researcher Elazar Broad disclosed the vulnerabilities in a proof of concept exploit, which he posted on the Milw0rm site Sunday. Within 24 hours, Symantec security experts discovered exploits targeting one of the two vulnerabilities, and contend that the other error will likely be targeted for attack in the near future.
Experts say that this kind of vulnerability will likely be susceptible to cyber attacks coming from student groups in China. Roger Thompson, chief research officer at AVG Technologies based in Orlando, Fla., noted that these student organizations were responsible for hacking into the Superbowl Web site in 2007 and have also been integral in executing attacks in the virtual world.
"In the past, the Chinese exploit developers have been very quick to seize on something like this," said Thompson. "These college kids are very bright. They tend to break the initial ground and then criminal gangs who are certainly organized will borrow these exploits."
Yahoo Music Jukebox is the default music software sold by the Sunnyvale, Calif.-based company. News of the vulnerabilities comes closely on the heels of Yahoo's announcement that it plans to abandon its unlimited music service and instead put on-demand music in the hands of RealNetworks' Rhapsody service. Yahoo did not immediately respond to communication from ChannelWeb.
So far Yahoo has not issued a patch and there are no known fixes for the problem. To workaround the exploit, U.S. CERT recommends in its bulletin that users disable the YMP Datagrid ActiveX control in Internet Explorer Web browser, which will also prevent exploitation of other ActiveX vulnerabilities. Users can disable the ActiveX control by setting the kill bit for the following CLSID: 5F810AFC-BB5F-4416-BE63-E01DD117BD6C.
"Fortunately, it's not the end of the world," said Thompson. "Not everybody will have Music Jukebox installed."
However, ActiveX has had its share of beatings in recent days. The Yahoo media player is one of at least three pieces of Web software riddled with ActiveX flaws which leave users susceptible to remote attack. Multiple vulnerabilities detected in the Aurigma Image Uploader ActiveX control have recently left MySpace and Facebook members open to attack when they upload images through Internet Explorer Web browser on the Windows platform.