Yahoo patches Messenger ActiveX control flaws

Powered by SC Magazine
 

Yahoo patched two vulnerabilities in Messenger's ActiveX control, which were disclosed by a hacker offering proof-of-concept exploit code earlier this week.

The Sunnyvale, Calif.-based web giant encouraged Messenger users to download version 8.1.0.410 from its website.

"The Yahoo Messenger team recently learned of a buffer overflow security issue in ActiveX control. Upon learning of this issue, we began working toward a resolution and implemented a fix to Yahoo Messenger’s software download," read a statement released today by Yahoo spokesman Terrell Karlsten. "We are encouraging all Yahoo Messenger users to download the latest version available at messenger.yahoo.com."

Users will be prompted to download a new version of Messenger in the coming weeks, according to the statement.

According to an advisory released Thursday, Yahoo was made aware of the flaw by eEye Digital Security.

A hacker using the handle "Danny" released two zero-day ActiveX exploits for Yahoo Messenger’s Webcam application on the Full Disclosure mailing list on Thursday.

Secunia ranked the flaws as "highly critical" and FrSIRTassigned them a "high" risk ranking.

One flaw is a boundary error within the Yahoo Webcam Upload ActiveX control, which can be exploited to cause a stack-based buffer overflow, according to a Security advisory updated today.

The other vulnerability exists within the Yahoo Webcam Viewer ActiveX control and can also be exploited for a stack-based buffer overflow attack, according to Secunia.

Don Montgomery, vice president of marketing at Akonix, told SCMagazine.com that better email security solutions and the convergence of networks are two reasons hackers are turning their attention to IM

"They are turning to this pathway because it’s still open to them. Obviously, email is still a big spam target, but not as big of a target for viruses," he said.

Yahoo patches Messenger ActiveX control flaws
 
 
 
Top Stories
Westpac interim CIO resigns
Group CIO yet to be appointed.
 
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  26%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  23%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 897

Vote