In association with heise online

30 August 2007, 16:53

Yet another Yahoo Messenger update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A new vulnerability in Yahoo Messenger allows attackers to inject malicious code. Just one week after the last one, the company has had to release a further update to fix the vulnerability.

Buffer overflows can occur in the YVerInfo.dll ActiveX control. Attackers can trigger these by, for example, using crafted web pages. According to Yahoo's security advisory, the vulnerability, discovered by security services provider iDefense, can result in unwanted logouts from chat or messenger sessions, software such as Internet Explorer crashing or execution of external code.

The bug affects versions of YVerInfo.dll prior to the current version, 2007.8.27.1. The ClassID of the ActiveX control is {64AA7031-C150-4118-8D31-FD273A2BB22C}. Users can either set the kill bit for this control so that Internet Explorer will no longer load it or deactivate ActiveX for the internet zone completely in IE. Alternatively, the updated version of Yahoo Messenger, which is now available, also fixes the vulnerability.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit