IJSER Home >> Journal >> IJSER
International Journal of Scientific and Engineering Research
ISSN Online 2229-5518
ISSN Print: 2229-5518 8    
Website: http://www.ijser.org
scirp IJSER >> Volume 3,Issue 8,August 2012
A Zero-day Attach Exploiting a Yahoo Messenger Vulnerability
Full Text(PDF, )  PP.180-183  
Author(s)
Monther Aldwairi, Haitham Noman
KEYWORDS
—Vulnerability disclosure, vulnerabilities, exploits, Trojans, Yahoo messenger
ABSTRACT
In computers security terms, vulnerability is a flaw in the computer system due to a bug or weakness in software, security policy and/or overall system configuration. Vulnerabilities are recognized if they are exploited by attackers using a tool to allow system violation. Unfortunately, there is no one standard for vulnerability reporting to date, and the debate continues between supporters of full discloser, non-discloser and responsible disclosure. We follow the responsible disclosure definition outlined by Shepherd, by reporting the issue to the vendor first and give a month to the vendor to establish a meaningful connection or provide a suitable fix [1]. Otherwise, go public with full disclosure. In this paper we discuss techniques to exploit a weakness in Yahoo messenger client. We successfully build a Trojan, called Caruso, which basically allows the attacker to gain access to the victim's Yahoo account without the need to crack the password.
References
[1] S. Shepherd, Vulnerability Disclosure: How do we define Responsible Disclosure?, SANS Institute, (2003).

[2] F. Massacci, S. Neuhaus and V. H. Nguyen, After-Life Vulnerabilities: A Study on Firefox Evolution, Its Vulnerabilities, and Fixes, Lecture Notes in Computer Science: Engineering Secure Software and Systems, Springer Berlin, Heidelberg, (2011) Vol. 6542, pp.195-208.

[3] S. Frei, D. Schatzmann, B. Plattner and B. Trammell. Modeling the Security Ecosystem–The Dynamics of (In)Security. Proceedings of the Workshop on the Economics of Information Security, (2009), 24-25 June, University College London, England.

[4] B. Schneier. The nonsecurity of secrecy. Communications of the ACM, 47, 10 (2004).

[5] J. T. Chambers and J. W. Thompson. Niac vulnerability disclosure framework. Department of Homeland Security, (2004).

[6] US Computer Emergency Readiness Team. [last access 5/12/2012]. http://www.us-cert.gov/

[7] Microsoft response security center. Coordinated Vulnerability Disclosure. [last access 5/12/2012].

http://www.microsoft.com/security/msrc/report/disclosure .aspx

[8] SlicK, In-Depth Analysis of Yahoo! Authentication Schemes, RSTzone.org. [last access 5/12/2012]. http://www.xssed.com/article/14/Paper_InDepth_Analysis_of_Yahoo_Authentication_Schemes/

Untitled Page