The holes could have allowed an attacker to run code of their choice or modify content within Yahoo! Messenger on a vulnerable PC.
The vulnerabilities affect Yahoo! Messenger version 5, 0, 0, 1061 running on Windows 98, 2000 and XP Pro.
The first vulnerability stems from a buffer overflow in the application that could allow a specially formatted URL (Uniform Resource Locator) to overrun the memory allocated to a number of Yahoo! Messenger functions. Depending on the length of the URL, Yahoo! Messenger can be crashed or can be made to run code on the target PC.
The second flaw concerns the use of information tabs within Yahoo! Messenger that give users one-click access to customised information from within Messenger. A vulnerable version of Yahoo! Messenger, used in conjunction with Microsoft's Internet Explorer 5.0 or later, can be forced by an attacker using Visual Basic scripts or Java to create new tabs or to alter the content of existing tabs.
An attacker could even steal the username and password of the account being used. The patched version of Yahoo! Messenger, which closes this hole, does so by removing the tab-adding feature entirely.
Security vulnerabilities in instant messaging clients are becoming more prevalent, as a handful of holes in Yahoo! rival America Online's Instant Messenger application have been found in 2002.
Most recently, AOL closed a hole that could have allowed an attacker to run the code of their choice on an affected PC.
The patch can be downloaded at http://download.yahoo.com/dl/installs/ymsgr/ymsgr_1065.exe