ActiveX vulnerability hits Yahoo Widgets

Powered by SC Magazine
 

Researchers at security research firm Secunia have revealed a "highly critical" security vulnerability in Yahoo's desktop Widgets. Widgets are software plug-ins that allow delivering a variety of information - weather reports, sports scores, and music - to users' computer desktops.

The vulnerability could be exploited by remote attackers to cause a denial of service or take control of an affected system. It's caused by a boundary error within an ActiveX control, according to Secunia. Malicious code could exploit this vulnerability to cause a stack-based buffer overflow by passing an overly long string (greater than 512 bytes) when handling certain processes.

Yahoo has created a patch [version 4.0.5] and urged that Widgets users and developers apply the patch as soon as possible. The patch is available here.

Secunia confirmed the vulnerability in YDPCTL.dll version 2007.4.13.1 in Yahoo Widgets version 4.0.3, also known as “build 178.” Secunia said that other versions of Yahoo Widgets may also be affected.

“Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo Widgets upon launching the application,” Yahoo said in an online posting. “If you choose not to update and you have not updated, the vulnerability will still exist.”

"Because of prevalence and ubiquity of Widgets, an awful lot of desktops are at risk to the vulnerability," Don Montgomery, vice president of marketing at Akonix, told SCMagazine.com. Although "nobody has reported an actual exploit of the vulnerability," Montgomery joined Yahoo in urging Widgets users to "keep their security up to date and stay on top of security alerts.

"It doesn't take email to download a virus -- it can be small footprint code like Widgets."



ActiveX vulnerability hits Yahoo Widgets
 
 
 
Top Stories
First look: Microsoft Outlook for iOS
[Update] Office productivity suite for iOS completed with Outlook.
 
NewSat defaults on $26m in overdue Lockheed payments
Jabiru-1 satellite build hits further hurdles.
 
IBM denies plans to cut 112k jobs
But admits to further restructuring.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  36%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3086

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 982

Vote