Yahoo fixes messenger flaws

The latest version of Yahoo Messenger fixes serious flaws attackers could exploit to run malware on targeted machines. The timing is good, since more exploit code is circulating.

The latest version of Yahoo Messenger fixes serious flaws attackers could exploit to run malicious code on targeted machines. The update comes as security experts track increased instances of exploit code in the wild.

The Bethesda, Md.-based SANS Internet Storm Center (ISC) warned of additional Yahoo exploits on its Web site Sunday. ISC handler Bojan Zdrnja wrote on the site that Yahoo Messenger users should upgrade as soon as possible. "Alternatively," he said, "you can set the kill bits for the affected ActiveX controls."

Yahoo Messenger:
Serious flaws put Yahoo Messenger users in peril: Attackers could exploit two serious flaws in Yahoo Messenger to run malicious code on targeted machines, vulnerability trackers warned Wednesday.

The flaws first came to light last week, when Aliso Viejo, Calif.-based eEye Digital Security released an advisory about "multiple flaws within Yahoo Messenger which allow for remote execution of arbitrary code with minimal user interaction."

Danish vulnerability clearinghouse Secunia took the description a few steps further in its advisory, saying the problems are a boundary error within the Yahoo Webcam Upload (ywcupl.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "send()" method; and a boundary error within the Yahoo Webcam Viewer (ywcvwr.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "receive()" method.

The flaws affect version 8.1.0.249, Secunia said. The firm recommended users mitigate the risk by setting the kill bit for the affected ActiveX controls or, better yet, installing the updated version of Yahoo Messenger.

Dig deeper on Social media security risks and real-time communication security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close