Holes in numerous ActiveX controls
Users of Yahoo's Music Jukebox should consider uninstalling the software. Several security holes in two of its ActiveX controls allow attackers to manipulate a system and infect it with malware via a crafted web site visited using Internet Explorer.
Buffers in YMP DataGrid (datagrid.dll) and Yahoo! Mediagrid (mediagridax.dll), can be overflowed by passing excessively long parameters to the functions AddImage, AddButton and AddBitmap, allowing code to be written to the stack and executed. The errors have been confirmed in the current version 2.2.2.056 of Yahoo! Music Jukebox. Other versions are probably also affected. According to the vulnerability database at Securityfocus, the affected controls are also present in Yahoo! Instant Messenger 3.5, Yahoo! Instant Messenger 5.5, and subsequent versions.
There are no updates at the moment, but exploits taking advantage of the holes are already available at Milw0rm. To remedy the problem, the software can be uninstalled, ActiveX can be switched off, or the kill bit can be set for the controls. The MediaGrid control has the CLSID 22FD7C0A-850C-4A53-9821-0B0915C96139, and the ID for the DataGrid control is CLSID 5F810AFC-BB5F-4416-BE63-E01DD117BD6C2. The Internet Storm Center has published a tool for setting the kill bit very easily in order to prevent Internet Explorer loading the vulnerable controls.
The same tool can also set the kill bit for the Facebook Photo Uploader ActiveX control and the MySpace Uploader Control ActiveX control, which also display critical holes. Update 22.214.171.124 for the MySpace control is however available to close the gap.
- Yahoo! JukeBox MediaGrid ActiveX Control AddBitmap() Buffer Overflow, vulnerability report by Elazar Broad