The Problem
A pair of serious vulnerabilities have been reported in Yahoo! Messenger. These could enable a hacker to run malicious code with minimal user intervention if the messaging client is running in the background.
In the first vulnerability, a remote attacker could compromise a machine running a webcam on Yahoo! Messenger by causing a buffer overflow in its Activex component when the user visits a Web page with malicious HTML code. The result is that more data is sent to the RAM than it can handle, causing the program or other services running on the computer to crash, or the execution of harmful code. The second exploit causes a buffer overflow in the file ywcvwr.dll, which is used in the viewer component of the messenger client.
eEye Digital Security, the company that discovered the exploits, gave them its highest risk rating. Secunia, another computer security company, labelled it "extremely critical."
The Solution
Yahoo! has released a patch for the exploits, stating that everyone using their messenger client should download the updated version from http://messenger.yahoo.com/download.php. Yahoo!'s description of the exploit can be found at http://messenger.yahoo.com/security_update.php?id=060707
No comments:
Post a Comment