In association with heise online

30 July 2007, 09:17

Yahoo fixes security vulnerability in Widgets package

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The new version 4.0.5 of Yahoo! Widgets for Windows fixes a critical vulnerability. If an earlier version of the helper software is used, attackers may be able to infect Internet Explorer users who visit manipulated web pages with arbitrary malicious code. According to security services provider Secunia, a buffer overflow occurs in the YPD ActiveX control (YPPCTL.dll) if the GetComponentVersion() function is passed a parameter greater than 512 characters in length. Secunia rates the issue as "highly critical".

The Yahoo Widgets package automatically indicates the availability of new versions. Users must, however, download and install the 12 Mbyte package themselves. Yahoo states that all versions of the software downloaded from the Yahoo website prior to 20th July contain the vulnerable ActiveX control. The vendor advises all users to update as soon as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit