Yahoo Fixes Messenger Flaw

Yahoo has patched a critical vulnerability in its Windows instant messaging client and has recommended that all users download and install an updated edition.

The bug, characterized as highly critical by Danish vulnerability tracker Secunia, is caused by a flawed Yahoo Messenger ActiveX control that could be used by attackers to crash a chat session, bring down the Internet Explorer browser, or execute malicious code on a victimized PC.

Yahoo downplayed the threat. "These impacts could only be possible if an attacker is successful in prompting someone to view malicious HTML code, most likely executed by getting a person to visit their Web page," the portal and search company said in an online alert. "To our knowledge, there have been no known executable code exploits related to this issue."

All users who downloaded Yahoo Messenger prior to Nov. 2 should install the v. 8.1 update, Yahoo said. Affected users will be prompted to upgrade when they next log into Messenger.