Yahoo patches Messenger
The vendor has fixed the recently discovered security hole in its Yahoo Messenger software with a new program version. Users of the software are advised to install it as soon as possible. The author of the first two exploits has meanwhile published refined and revised versions, which could be used by script kiddies to put together malicious web pages with only few mouse clicks.
For instance, security holes in the ActiveX modules for webcam support could be exploited by attackers to inject arbitrary code on the systems of affected users through manipulated web pages. The updated program version provided by Yahoo replaces defective ActiveX modules in the ywcupl.dll and ywcvwr.dll files. The fix is included in the libraries of version 220.127.116.11 and above. During the next few weeks, Yahoo will inform users logging into the Yahoo service of the new version and recommend an update.
- Download of the Yahoo Messenger update
- Yahoo! Webcam ActiveX Controls, advisory from Yahoo
- Revised exploits by Danny on Full Disclosure