In association with heise online

04 April 2007, 12:12

Unsafe ActiveX module in Yahoo Messenger

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Yahoo Messenger installs an ActiveX module which can be embedded by Internet Explorer and contains a security vulnerability via which it is possible to inject arbitrary code. Yahoo has released an update to fix the vulnerability.

The security vulnerability, reported by the Zero Day Initiative, affects the Yahoo.AudioConf ActiveX module, which is provided by the yacscom.dll library. If a web page visited by a Yahoo Messenger user loads the module with CLSID 85A4A99C-8C3D-499E-A386-E0743DFF8FB7 and passes very large values for the socksHostname and hostname parameters, a buffer overflow occurs. This can be used to execute injected code.

Yahoo has silently updated the Messenger software to fix the problem. Users who downloaded Yahoo Messenger before 13th March 2007 should update the software sharpish.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit