ActiveX vulnerability hits Yahoo Widgets

By

Researchers at security research firm Secunia have revealed a "highly critical" security vulnerability in Yahoo's desktop Widgets. Widgets are software plug-ins that allow delivering a variety of information - weather reports, sports scores, and music - to users' computer desktops.

ActiveX vulnerability hits Yahoo Widgets
The vulnerability could be exploited by remote attackers to cause a denial of service or take control of an affected system. It's caused by a boundary error within an ActiveX control, according to Secunia. Malicious code could exploit this vulnerability to cause a stack-based buffer overflow by passing an overly long string (greater than 512 bytes) when handling certain processes.

Yahoo has created a patch [version 4.0.5] and urged that Widgets users and developers apply the patch as soon as possible. The patch is available here.

Secunia confirmed the vulnerability in YDPCTL.dll version 2007.4.13.1 in Yahoo Widgets version 4.0.3, also known as “build 178.” Secunia said that other versions of Yahoo Widgets may also be affected.

“Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo Widgets upon launching the application,” Yahoo said in an online posting. “If you choose not to update and you have not updated, the vulnerability will still exist.”

"Because of prevalence and ubiquity of Widgets, an awful lot of desktops are at risk to the vulnerability," Don Montgomery, vice president of marketing at Akonix, told SCMagazine.com. Although "nobody has reported an actual exploit of the vulnerability," Montgomery joined Yahoo in urging Widgets users to "keep their security up to date and stay on top of security alerts.

"It doesn't take email to download a virus -- it can be small footprint code like Widgets."


Got a news tip for our journalists? Share it with us anonymously here.
Tags:
activexhitssecurityvulnerabilitywidgetsyahoo

Sponsored Whitepapers

Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.

Events

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul
Victoria's first government tech chief steps down

Victoria's first government tech chief steps down
SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift
CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?