News

Yahoo fixes Messenger security flaws

SearchSecurity.com Staff

The latest version of Yahoo Messenger fixes serious flaws attackers could exploit to run malicious code on targeted machines. The update comes as security experts track increased instances of exploit code in the wild.

The  SANS Internet Storm Center (ISC) warned of additional Yahoo exploits on its Web site with handler Bojan Zdrnja wrote on the site that Yahoo Messenger users should upgrade as soon as possible. "Alternatively," he said, "you can set the kill bits for the affected ActiveX controls."

Yahoo Messenger:
Serious flaws put Yahoo Messenger users in peril
Attackers could exploit two serious flaws in Yahoo Messenger to run malicious code on targeted machines

The flaws first came to light last week, when eEye Digital Security released an advisory about "multiple flaws within Yahoo Messenger which allow for remote execution of arbitrary code with minimal user interaction."

Danish vulnerability clearinghouse Secunia took the description a few steps further in its advisory, saying the problems are a boundary error within the Yahoo Webcam Upload (ywcupl.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "send()" method; and a boundary error within the Yahoo Webcam Viewer (ywcvwr.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "receive()" method.

The flaws affect version 8.1.0.249, Secunia said. The firm recommended users mitigate the risk by setting the kill bit for the affected ActiveX controls or, better yet, installing the updated version of Yahoo Messenger.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy