The company was quick to issue a fix for a buffer overflow problem in its instant messenger software that could give hackers control of an infected system.

Sharon Gaudin, Contributor

June 8, 2007

2 Min Read

Yahoo released a fix late Thursday for the critical Yahoo Messenger bugs that could enable a remote hacker to take control of a user's system.

Researchers at eEye Digital Security found the bugs within the last few weeks and reported them to Yahoo on Wednesday, according to Marc Maiffret, co-founder and CTO of the security company. eEye's researchers said there actually are multiple flaws in version 8 of Yahoo's instant messenger client software.

Yahoo has fixed a buffer overflow problem in Webcam ActiveX controls that was causing the problem, according to a company spokeswoman in an e-mail to InformationWeek. Yahoo is recommending that users update their Yahoo Messenger software to Version 8.1.0.401, which can be found at Yahoo's update site.

The vulnerability could be exploited if the user visits a Web site containing malicious code or opens an attachment with malicious code. If a user's machine is infected, a hacker could take control of the system.

"We take security issues very seriously, and upon being notified of this issue from eEye earlier this week, we diligently began working on a fix," said the spokeswoman in an e-mail. "The product and engineering teams were very expeditious in getting the fix into place last night. Protecting our users from security issues is a top priority."

eEye Digital Security gave the flaw its highest security threat rating. "If you're running this, your system could be compromised," said Maiffret. "It allows for remote [code] execution."

While instant messaging quickly caught on as a favorite communication tool for the teenage set, it's also become a key tool in the corporate world -- speeding inter- and intra-office messages.

Yahoo recently released a beta version of its Yahoo Messenger for the Web, which removes the need for a separate IM client application. The Flash-based chat service is compatible with Microsoft's Windows Live Messenger and is supported by the four most popular browsers: IE, Firefox, Opera and Safari.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights