Article

Yahoo fixes messenger flaws

SearchSecurity.com Staff

The latest version of Yahoo Messenger fixes serious flaws attackers could exploit to run malicious code on targeted machines. The update comes as security experts track increased instances of exploit code in the wild.

The

    Requires Free Membership to View

Bethesda, Md.-based SANS Internet Storm Center (ISC) warned of additional Yahoo exploits on its Web site Sunday. ISC handler Bojan Zdrnja wrote on the site that Yahoo Messenger users should upgrade as soon as possible. "Alternatively," he said, "you can set the kill bits for the affected ActiveX controls."

Yahoo Messenger:
Serious flaws put Yahoo Messenger users in peril: Attackers could exploit two serious flaws in Yahoo Messenger to run malicious code on targeted machines, vulnerability trackers warned Wednesday.

The flaws first came to light last week, when Aliso Viejo, Calif.-based eEye Digital Security released an advisory about "multiple flaws within Yahoo Messenger which allow for remote execution of arbitrary code with minimal user interaction."

Danish vulnerability clearinghouse Secunia took the description a few steps further in its advisory, saying the problems are a boundary error within the Yahoo Webcam Upload (ywcupl.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "send()" method; and a boundary error within the Yahoo Webcam Viewer (ywcvwr.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "receive()" method.

The flaws affect version 8.1.0.249, Secunia said. The firm recommended users mitigate the risk by setting the kill bit for the affected ActiveX controls or, better yet, installing the updated version of Yahoo Messenger.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: