Secunia Advisory: SA11471
Release Date: 2004-04-23
Critical: Moderately critical
Impact: System access
Where: From local network
Software: McAfee ePolicy Orchestrator 2.x
McAfee ePolicy Orchestrator 3.x
CVE reference: CAN-2004-0038
An unspecified vulnerability has been discovered in McAfee ePolicy Orchestrator, which can be exploited by malicious people to execute arbitrary commands on a vulnerable system.
No more information is currently available.
Patch 4 for version 3.0 Service Pack 2a:
Patch 14 for version 2.5.1:
Provided and/or discovered by:
Reported by vendor.
Yahoo Messenger 'yinsthelper.dll' Overflow Lets Remote Users Crash the Client
SecurityTracker Alert ID: 1009914
CVE Reference: GENERIC-MAP-NOMATCH
Date: Apr 22 2004
Impact: Denial of service via network
Exploit Included: Yes
Description: Rafel Ivgi (The-Insider) reported a denial of service vulnerability with Yahoo! Messenger. A remote user can create HTML that will cause Yahoo! Messenger to crash.
It is reported that Yahoo! Messenger installs 'yinsthelper.dll' and registers two vulnerable COM objects: 'YInstHelper.YInstStarter.1' and 'YInstHelper.YSearchSetting2'. A remote user can create HTML that references the objects with certain specially crafted property values that are greater than 255 bytes. Then, when the target user loads the HTML, the target user's Yahoo! Messenger client will crash, the report said.
The AppId, DesktopIcon, Test, Start2, and Set properties are reported to be vulnerable.
Some demonstration exploit examples are provided in the Source Message.
Impact: A remote user can create HTML that, when loaded by the target user, will cause the target user's Yahoo! Messenger client to crash.
Solution: No solution was available at the time of this entry.
Vendor URL: messenger.yahoo.com/
Cause: Boundary error
Underlying OS: Windows (Any)
Reported By: Rafel Ivgi