Yahoo patches Messenger ActiveX control flaws

Powered by SC Magazine
 

Yahoo patched two vulnerabilities in Messenger's ActiveX control, which were disclosed by a hacker offering proof-of-concept exploit code earlier this week.

The Sunnyvale, Calif.-based web giant encouraged Messenger users to download version 8.1.0.410 from its website.

"The Yahoo Messenger team recently learned of a buffer overflow security issue in ActiveX control. Upon learning of this issue, we began working toward a resolution and implemented a fix to Yahoo Messenger’s software download," read a statement released today by Yahoo spokesman Terrell Karlsten. "We are encouraging all Yahoo Messenger users to download the latest version available at messenger.yahoo.com."

Users will be prompted to download a new version of Messenger in the coming weeks, according to the statement.

According to an advisory released Thursday, Yahoo was made aware of the flaw by eEye Digital Security.

A hacker using the handle "Danny" released two zero-day ActiveX exploits for Yahoo Messenger’s Webcam application on the Full Disclosure mailing list on Thursday.

Secunia ranked the flaws as "highly critical" and FrSIRTassigned them a "high" risk ranking.

One flaw is a boundary error within the Yahoo Webcam Upload ActiveX control, which can be exploited to cause a stack-based buffer overflow, according to a Security advisory updated today.

The other vulnerability exists within the Yahoo Webcam Viewer ActiveX control and can also be exploited for a stack-based buffer overflow attack, according to Secunia.

Don Montgomery, vice president of marketing at Akonix, told SCMagazine.com that better email security solutions and the convergence of networks are two reasons hackers are turning their attention to IM

"They are turning to this pathway because it’s still open to them. Obviously, email is still a big spam target, but not as big of a target for viruses," he said.

Yahoo patches Messenger ActiveX control flaws
 
 
 
Top Stories
Telstra to buy Pacnet for $857m
Gets 46,500km of undersea cable.
 
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  37%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 2002

Vote
Do you support the abolition of the Office of the Information Commissioner?