Software // Enterprise Applications
News
8/31/2007
01:30 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

Yahoo Issues Yahoo Messenger Security Fix

The patch addresses a buffer overflow vulnerability in an ActiveX control that could allow attackers to execute arbitrary code.

Yahoo has issued a patch for its instant messaging client, Yahoo Messenger.

The patch issued Wednesday addresses a buffer overflow vulnerability in an ActiveX control. Users who installed Yahoo Messenger before August 29, 2007 should install the update.

Microsoft's ActiveX controls can interact with the full Windows operating system, unlike Java applets. This gives them a lot of power and also makes them potentially risky.

iDefense Labs identified the Messenger vulnerability. "Exploitation allows attackers to execute arbitrary code with the privileges of the currently logged in user," the company reported on its Web site. "Users would be required to have a vulnerable version of the target software installed and be lured to a malicious site."

Yahoo said that it was unaware of any attempts to exploit the vulnerability. "Some impacts of a buffer overflow might include involuntary log out of a Yahoo Chat and/or Yahoo Messenger session, the crash of an application such as Internet Explorer, and in some instances, the introduction of executable code," the company said. "In this case, these problems could only happen if an attacker successfully lured the Yahoo Messenger user to view malicious HTML code, most likely by getting a person to visit the attacker's Web page. To our knowledge, there have been no known malicious executable code exploits related to this issue."

Yahoo issued another security patch for Yahoo Messenger on Aug. 21. That patch addressed two security issues with the way the software's Webcam functions work: susceptibility to a denial-of-service attack following a malicious Webcam invitation and a buffer overflow that could lead to the introduction of executable code by an attacker.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.