Yahoo Messenger Install Secuirty

From: Kyle Duren (acidrain_ask@pixitha.com)
Date: 08/27/02


Date: 27 Aug 2002 06:48:35 -0000
From: Kyle Duren <acidrain_ask@pixitha.com>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

Im now 100% sure where I should post this or who to tell, but here goes.

I was messing around with just installing some chat programs when I came
across Yahoo Messenger. Well I started the install, and oddly enough its a
lil different. Yahoo decided it would be easier for the user to just
download all the install files from them, on the fly.

The way it does it apperas to be via http:

GET /download.yahoo.com/dl/installs/ymsgr/ymsgr_1228.exe HTTP/1.1

Then the server responds (a19.g.a.yimg.com).

And sends the files.

Well this sounds all fine and dany, except it sounds very familiar to what
the Apple Software Update Util used to do. No passwords or secrity on the
download. The installer never even seems to verify the files.

This leads me to think that someone with enough time and brains could fool
the "victim" computer to download some bogus Yahoo messenger files and
install them instead of the legit ones.

The info on the Apple Security Hole is at:
http://www.cunap.com/~hardingr/projects/osx/exploit.html

Of course this was fixed very quickly by Apple.

Can someone verify this as a valid exploit?

Thanks
Kyle Duren