grchl3
12-16-2006, 06:40 PM
Yahoo has issued what one security company labels a "highly critical" update for the popular instant messaging feature.
The update is designed to combat software flaws that could allow an attacker to take over a person's computer.
The flaws affect versions of Yahoo Messenger 5.0 through 8.0, according to a security advisory released Friday by Secunia. Windows users who are running versions of Yahoo Messenger released before November 2 are advised to update to Yahoo Messenger 8.1.
A security flaw was found in the ActiveX control component of Yahoo's services suite that typically downloads with the Yahoo Messenger installer. The vulnerability could allow a buffer overflow to occur in the ActiveX control. A buffer overflow occurs when a computer tries to store too much data in a temporary storage area, resulting in a system crash or in giving an attacker "back door" access to the system.
As a result of the ActiveX vulnerability, people could involuntarily be logged out of a Messenger session, have an application such as Internet Explorer crash, or have malicious code launched on their PC if they're lured to a malicious Web site, according to a security advisory released by Yahoo last week.
In the past, Yahoo Messenger users have been the target of phishing attacks. Attackers would send a message to someone that appeared to come a person on their friends list, and then attempt to lure the IM user to a bogus Yahoo site. The site would then prompt the person to enter their Yahoo ID and password.
:source: Source: http://news.zdnet.com/2100-1009_22-6144110.html
The update is designed to combat software flaws that could allow an attacker to take over a person's computer.
The flaws affect versions of Yahoo Messenger 5.0 through 8.0, according to a security advisory released Friday by Secunia. Windows users who are running versions of Yahoo Messenger released before November 2 are advised to update to Yahoo Messenger 8.1.
A security flaw was found in the ActiveX control component of Yahoo's services suite that typically downloads with the Yahoo Messenger installer. The vulnerability could allow a buffer overflow to occur in the ActiveX control. A buffer overflow occurs when a computer tries to store too much data in a temporary storage area, resulting in a system crash or in giving an attacker "back door" access to the system.
As a result of the ActiveX vulnerability, people could involuntarily be logged out of a Messenger session, have an application such as Internet Explorer crash, or have malicious code launched on their PC if they're lured to a malicious Web site, according to a security advisory released by Yahoo last week.
In the past, Yahoo Messenger users have been the target of phishing attacks. Attackers would send a message to someone that appeared to come a person on their friends list, and then attempt to lure the IM user to a bogus Yahoo site. The site would then prompt the person to enter their Yahoo ID and password.
:source: Source: http://news.zdnet.com/2100-1009_22-6144110.html