Security update fixes Yahoo Widgets flaw

Attackers could exploit a Yahoo Widgets flaw to run malicious code on compromised Windows computers, but a security update is available.

Attackers could exploit a Yahoo Widgets flaw to run malicious code on compromised Windows machines, but Yahoo has released a security update to fix it.

Yahoo Widgets is a platform that allows users to run small, Web-based services on computer desktops. According to the Yahoo Web site, the Widget Gallery offers users more than 4,000 desktop Widgets and the program works on both Windows and Mac OS X machines. The security flaw, discovered by vulnerability researcher Parvez Anwar, affects Windows users only and is caused by a boundary error within an ActiveX control that's built into the program.

Attackers can exploit this to cause a stack-based buffer overflow by passing an overly long string (greater than 512 bytes) to the affected method, Danish vulnerability clearinghouse Secunia said in an advisory. Specifically, the firm said, the problem is a boundary error within the YDPCTL.YDPControl.1 (YDPCTL.dll) ActiveX control when handling the "GetComponentVersion()" method.

Secunia rated the flaw highly critical because successful attackers can run malicious code on compromised computers. The firm recommended users update to Yahoo Widgets version 4.0.5.

In its security advisory, Yahoo said users running a version of Yahoo! Widgets obtained before July 20, 2007 on a Windows PC need to download the updated version.

Of the potential damage, Yahoo said, "Some impacts of a buffer overflow might include the introduction of executable code and the crash of an application such as Internet Explorer. For this specific security issue, these impacts could only be possible if an attacker is successful in prompting someone to view malicious HTML code, most likely executed by getting a person to visit their Web page."

Dig deeper on Web Application Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close