A security hole in Yahoo's Messenger could allow attackers to run their own code on computers using the program.
The buffer overrun vulnerability was found in a file named "yauto.dll," which is an ActiveX component of Messenger software versions up to 18.104.22.1687, according to a security alert released by Copenhagen security company Secunia.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Yahoo is working to verify the report and develop a patch for Messenger.
ActiveX is a Microsoft technology that allows software developers to create small, reusable bits of code, called "controls" that enable programs to share information over computer networks and the Internet.
Attackers could trigger a buffer overrun on machines running Messenger by sending a long stream of data in the form of a web page URL to a vulnerable function within yauto.dll, crashing the application or allowing the attacker to place his or her own malicious code on the machine, according to Secunia.
To launch an attack, hackers could set up a web page, then lure Messenger users into visiting the site and clicking on a link that triggers the buffer overrun and runs the attack code, Secunia said.
In buffer overflow attacks, hackers use flaws in a software program's underlying code to overwrite areas of the computer's memory, replacing legitimate computer instructions with bad data or other instructions.
Secunia rated the Messenger vulnerability "highly critical", saying that researchers tested the hole and successfully exploited it by downloading and running a Trojan horse program.
Messenger users running vulnerable versions of the program were advised to remove yauto.dll from their computer hard drive. Users should also consider modifying their web browser configuration to prevent ActiveX controls and Active Scripting from running, except on approved websites, Secunia advised.
Paul Roberts writes for IDG News Service