In association with heise online

« previous | next »
4 April 2007, 13:12

Unsafe ActiveX module in Yahoo Messenger

Yahoo Messenger installs an ActiveX module which can be embedded by Internet Explorer and contains a security vulnerability via which it is possible to inject arbitrary code. Yahoo has released an update to fix the vulnerability.

The security vulnerability, reported by the Zero Day Initiative, affects the Yahoo.AudioConf ActiveX module, which is provided by the yacscom.dll library. If a web page visited by a Yahoo Messenger user loads the module with CLSID 85A4A99C-8C3D-499E-A386-E0743DFF8FB7 and passes very large values for the socksHostname and hostname parameters, a buffer overflow occurs. This can be used to execute injected code.

Yahoo has silently updated the Messenger software to fix the problem. Users who downloaded Yahoo Messenger before 13th March 2007 should update the software sharpish.

See also:

(mba)

« previous | next »
Print Version | Send by email | Permalink: http://h-online.com/-732599

Also on The H:

  • Share this article
  • Twitter
  • Facebook
  • digg this
  • submit to slashdot
  • post to delicious
  • StumbleUpon
  • submit to reddit
The H Open Headlines

Price Insight Top 10 powered by Skinflint

  1. Samsung SSD 830 Series 128GB
  2. Samsung SSD 830 Series 256GB
  3. Samsung SSD 830 Series Desktop Upgrade Kit 256GB
  4. Intel Core i5-3570K
  5. Samsung Galaxy S3 i9300 16GB blau
  6. Crucial m4 SSD 128GB
  7. Gigabyte GeForce GTX 670 OC
  8. Palit GeForce GTX 670
  9. Diablo 3 (deutsch)
  10. Samsung Galaxy Nexus i9250 16GB silber

The H

The H open source

The H Security

The H Internet Toolkit