Yahoo! patches instant message hole


Yahoo! patches instant message hole

Yahoo! has offered fixes for two security holes in its Yahoo! Messenger application.

The holes could have allowed an attacker to run code of their choice or modify content within Yahoo! Messenger on a vulnerable PC.

The vulnerabilities affect Yahoo! Messenger version 5, 0, 0, 1061 running on Windows 98, 2000 and XP Pro.

The first vulnerability stems from a buffer overflow in the application that could allow a specially formatted URL (Uniform Resource Locator) to overrun the memory allocated to a number of Yahoo! Messenger functions. Depending on the length of the URL, Yahoo! Messenger can be crashed or can be made to run code on the target PC.

The second flaw concerns the use of information tabs within Yahoo! Messenger that give users one-click access to customised information from within Messenger. A vulnerable version of Yahoo! Messenger, used in conjunction with Microsoft's Internet Explorer 5.0 or later, can be forced by an attacker using Visual Basic scripts or Java to create new tabs or to alter the content of existing tabs.

An attacker could even steal the username and password of the account being used. The patched version of Yahoo! Messenger, which closes this hole, does so by removing the tab-adding feature entirely.

Security vulnerabilities in instant messaging clients are becoming more prevalent, as a handful of holes in Yahoo! rival America Online's Instant Messenger application have been found in 2002.

Most recently, AOL closed a hole that could have allowed an attacker to run the code of their choice on an affected PC.

The patch can be downloaded at

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy