The patch addresses a buffer overflow vulnerability in an ActiveX control that could allow attackers to execute arbitrary code.

Thomas Claburn, Editor at Large, Enterprise Mobility

August 31, 2007

1 Min Read

Yahoo has issued a patch for its instant messaging client, Yahoo Messenger.

The patch issued Wednesday addresses a buffer overflow vulnerability in an ActiveX control. Users who installed Yahoo Messenger before August 29, 2007 should install the update.

Microsoft's ActiveX controls can interact with the full Windows operating system, unlike Java applets. This gives them a lot of power and also makes them potentially risky.

iDefense Labs identified the Messenger vulnerability. "Exploitation allows attackers to execute arbitrary code with the privileges of the currently logged in user," the company reported on its Web site. "Users would be required to have a vulnerable version of the target software installed and be lured to a malicious site."

Yahoo said that it was unaware of any attempts to exploit the vulnerability. "Some impacts of a buffer overflow might include involuntary log out of a Yahoo Chat and/or Yahoo Messenger session, the crash of an application such as Internet Explorer, and in some instances, the introduction of executable code," the company said. "In this case, these problems could only happen if an attacker successfully lured the Yahoo Messenger user to view malicious HTML code, most likely by getting a person to visit the attacker's Web page. To our knowledge, there have been no known malicious executable code exploits related to this issue."

Yahoo issued another security patch for Yahoo Messenger on Aug. 21. That patch addressed two security issues with the way the software's Webcam functions work: susceptibility to a denial-of-service attack following a malicious Webcam invitation and a buffer overflow that could lead to the introduction of executable code by an attacker.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights