Yahoo Patches IM Vulnerability

April 6, 2007
Yahoo logo

A buffer overflow problem is patched by the company.

Yahoo has patched a buffer overflow vulnerability in its instant-messaging tool that would have enabled attackers to potentially execute code on a compromised machine.

The flaw exists in an ActiveX control that is part of the Yahoo Messenger audio conference control. If exploited, a buffer overflow could cause a user to be involuntarily logged out of a chat or instant messaging session, the crash of an application such as Internet Explorer or the execution of code.

According to the company, an attacker would have to trick a user into viewing malicious HTML code in order for the attack to be successful.

Andrew Storms, director of security operations for San Francisco-based nCircle, said addressing the vulnerability could pose a problem in large corporate environments where Yahoo Messenger is widely used.

"Yahoo IM is heavily used in the corporate environment even if security policy doesn't officially permit it," he said. " - This vulnerability - leaves administrators with the choices to upgrade or set the kill-bit on the affected ActiveX control. Unfortunately, many corporations are unable to centrally manage upgrades - to - Windows Messenger, making this fix extremely time-intensive for IT teams. Many companies will be performing ad-hoc mitigation to get this cleaned up."

Yahoo advises anyone who has installed Yahoo Messenger before March 13 to install the update.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

Explore further: Indian government wakes up to risk of Hotmail, Gmail

Related Stories

Indian government wakes up to risk of Hotmail, Gmail

December 8, 2013

Worried by US spying revelations, India has begun drawing up a new email policy to help secure government communications, but the man responsible for drafting the rules still regularly uses Hotmail.

Security holes in smartphone apps (w/ Videos)

April 17, 2013

(Phys.org) —Popular texting, messaging and microblog apps developed for the Android smartphone have security flaws that could expose private information or allow forged fraudulent messages to be posted, according to researchers ...

Recommended for you

For these 'cyborgs', keys are so yesterday

September 4, 2015

Punching in security codes to deactivate the alarm at his store became a thing of the past for Jowan Oesterlund when he implanted a chip into his hand about 18 months ago.

How to curb emissions? Put a price on carbon

September 3, 2015

Literally putting a price on carbon pollution and other greenhouse gasses is the best approach for nurturing the rapid growth of renewable energy and reducing emissions.

Magnetic fields provide a new way to communicate wirelessly

September 1, 2015

Electrical engineers at the University of California, San Diego demonstrated a new wireless communication technique that works by sending magnetic signals through the human body. The new technology could offer a lower power ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.