An attacker can exploit the vulnerability to execute arbitrary code onto an affected PC, causing web browsers to crash. To infect a PC, a malicious user would have to convince a victim - most likely by using social engineering - to view a specially crafted HTML email message or attachment, according to US-CERT.
Yahoo urged users who have a Windows version of Messenger obtained before Nov. 2 to update. No exploit code has been released for the flaw, according to a Yahoo advisory.
Messenger users will be prompted to update every time they sign on, according to the Sunnyvale, Calif. web giant.
US-CERT also issued a workaround for the flaw, advising users to disable ActiveX controls in the Internet Zone.
Click here to email Online Editor Frank Washkuch Jr.
.png&h=140&w=231&c=1&s=0){kind=logo}
_(23).jpg&h=140&w=231&c=1&s=0)
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
