Yahoo! patches instant message hole

Yahoo! has offered fixes for two security holes in its Yahoo! Messenger application.

Yahoo! has offered fixes for two security holes in its Yahoo! Messenger application.

The holes could have allowed an attacker to run code of their choice or modify content within Yahoo! Messenger on a vulnerable PC.

The vulnerabilities affect Yahoo! Messenger version 5, 0, 0, 1061 running on Windows 98, 2000 and XP Pro.

The first vulnerability stems from a buffer overflow in the application that could allow a specially formatted URL (Uniform Resource Locator) to overrun the memory allocated to a number of Yahoo! Messenger functions. Depending on the length of the URL, Yahoo! Messenger can be crashed or can be made to run code on the target PC.

The second flaw concerns the use of information tabs within Yahoo! Messenger that give users one-click access to customised information from within Messenger. A vulnerable version of Yahoo! Messenger, used in conjunction with Microsoft's Internet Explorer 5.0 or later, can be forced by an attacker using Visual Basic scripts or Java to create new tabs or to alter the content of existing tabs.

An attacker could even steal the username and password of the account being used. The patched version of Yahoo! Messenger, which closes this hole, does so by removing the tab-adding feature entirely.

Security vulnerabilities in instant messaging clients are becoming more prevalent, as a handful of holes in Yahoo! rival America Online's Instant Messenger application have been found in 2002.

Most recently, AOL closed a hole that could have allowed an attacker to run the code of their choice on an affected PC.

The patch can be downloaded at



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Operating systems software



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:




  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...