Software // Enterprise Applications
News
8/31/2007
01:30 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Yahoo Issues Yahoo Messenger Security Fix

The patch addresses a buffer overflow vulnerability in an ActiveX control that could allow attackers to execute arbitrary code.

Yahoo has issued a patch for its instant messaging client, Yahoo Messenger.

The patch issued Wednesday addresses a buffer overflow vulnerability in an ActiveX control. Users who installed Yahoo Messenger before August 29, 2007 should install the update.

Microsoft's ActiveX controls can interact with the full Windows operating system, unlike Java applets. This gives them a lot of power and also makes them potentially risky.

iDefense Labs identified the Messenger vulnerability. "Exploitation allows attackers to execute arbitrary code with the privileges of the currently logged in user," the company reported on its Web site. "Users would be required to have a vulnerable version of the target software installed and be lured to a malicious site."

Yahoo said that it was unaware of any attempts to exploit the vulnerability. "Some impacts of a buffer overflow might include involuntary log out of a Yahoo Chat and/or Yahoo Messenger session, the crash of an application such as Internet Explorer, and in some instances, the introduction of executable code," the company said. "In this case, these problems could only happen if an attacker successfully lured the Yahoo Messenger user to view malicious HTML code, most likely by getting a person to visit the attacker's Web page. To our knowledge, there have been no known malicious executable code exploits related to this issue."

Yahoo issued another security patch for Yahoo Messenger on Aug. 21. That patch addressed two security issues with the way the software's Webcam functions work: susceptibility to a denial-of-service attack following a malicious Webcam invitation and a buffer overflow that could lead to the introduction of executable code by an attacker.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.