Yahoo patches Messenger ActiveX control flaws

Powered by SC Magazine
 

Yahoo patched two vulnerabilities in Messenger's ActiveX control, which were disclosed by a hacker offering proof-of-concept exploit code earlier this week.

The Sunnyvale, Calif.-based web giant encouraged Messenger users to download version 8.1.0.410 from its website.

"The Yahoo Messenger team recently learned of a buffer overflow security issue in ActiveX control. Upon learning of this issue, we began working toward a resolution and implemented a fix to Yahoo Messenger’s software download," read a statement released today by Yahoo spokesman Terrell Karlsten. "We are encouraging all Yahoo Messenger users to download the latest version available at messenger.yahoo.com."

Users will be prompted to download a new version of Messenger in the coming weeks, according to the statement.

According to an advisory released Thursday, Yahoo was made aware of the flaw by eEye Digital Security.

A hacker using the handle "Danny" released two zero-day ActiveX exploits for Yahoo Messenger’s Webcam application on the Full Disclosure mailing list on Thursday.

Secunia ranked the flaws as "highly critical" and FrSIRTassigned them a "high" risk ranking.

One flaw is a boundary error within the Yahoo Webcam Upload ActiveX control, which can be exploited to cause a stack-based buffer overflow, according to a Security advisory updated today.

The other vulnerability exists within the Yahoo Webcam Viewer ActiveX control and can also be exploited for a stack-based buffer overflow attack, according to Secunia.

Don Montgomery, vice president of marketing at Akonix, told SCMagazine.com that better email security solutions and the convergence of networks are two reasons hackers are turning their attention to IM

"They are turning to this pathway because it’s still open to them. Obviously, email is still a big spam target, but not as big of a target for viruses," he said.

Yahoo patches Messenger ActiveX control flaws
 
 
 
Top Stories
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  70%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  12%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 702

Vote