Yahoo updates to patch Messenger ActiveX vulnerability

By
Follow google news

Yahoo has updated its instant messaging platform to protect against a vulnerability that can allow remote attacks.

Yahoo updates to patch Messenger ActiveX vulnerability
Versions of Yahoo Messenger installed before 13 March contain a flaw that can allow remote code attacks, Yahoo said Monday in an security advisory.

The flaw is caused by a boundary error within the AudioConf ActiveX control (yacscom.dll), according to an advisory from Secunia.

The vulnerability can be exploited to cause a stack-based buffer overflow by setting the "socksHostname" and "hostname" properties to an overly large strong and then calling the "createAndJoinConference()" method, according to Secunia’s advisory.

The flaw exists in Yahoo Messenger versions 5, 6, 7 and 8, according to Secunia.

An advisory from TippingPoint’s Zero Day Initiative, which first disclosed the flaw to Yahoo last October, reported that user interaction is required to exploit the flaw, most commonly through a duped user visiting a malicious website.

Secunia today ranked the flaw as "highly critical," meaning that it can be exploited by arbitrary code.

Add iTnews as your trusted source

Add iTnews As Your Trusted Source Add iTnews As Your Trusted Source
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
activexmessengerpatchsecuritytoupdatesvulnerabilityyahoo

Sponsored Whitepapers

The future of resilience: AI-Driven dynamic storage
The future of resilience: AI-Driven dynamic storage
5 reasons to adopt a mobile first security strategy
5 reasons to adopt a mobile first security strategy
Uncomplicate IT Service Delivery with AI Agents
Uncomplicate IT Service Delivery with AI Agents
Getting ahead of the tech: what’s next for Australian organisations in digital transformation
Getting ahead of the tech: what’s next for Australian organisations in digital transformation
Fintech compliance made fast and secure
Fintech compliance made fast and secure

Events

Most Read Articles

FBI remotely patched privately-owned routers to evict Russian GRU spies

FBI remotely patched privately-owned routers to evict Russian GRU spies
Dead cars tell tales by storing data that's never wiped

Dead cars tell tales by storing data that's never wiped
Services Australia describes fraud, debt-related machine learning use cases

Services Australia describes fraud, debt-related machine learning use cases
AI-boosted hacks with Anthropic’s Mythos could have dire consequences for banks

AI-boosted hacks with Anthropic’s Mythos could have dire consequences for banks
techpartner.news logo
Sydney-based AI-cloud waste startup raises $3m
Sydney-based AI-cloud waste startup raises $3m
Brennan uses NiCE to modernise its contact centre
Brennan uses NiCE to modernise its contact centre
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Interactive introduces private cloud platform
Interactive introduces private cloud platform
Digital61 expands cybersecurity portfolio
Digital61 expands cybersecurity portfolio

Log In

  |  Forgot your password?