Yet another Yahoo Messenger update
A new vulnerability in Yahoo Messenger allows attackers to inject malicious code. Just one week after the last one, the company has had to release a further update to fix the vulnerability.
Buffer overflows can occur in the YVerInfo.dll ActiveX control. Attackers can trigger these by, for example, using crafted web pages. According to Yahoo's security advisory, the vulnerability, discovered by security services provider iDefense, can result in unwanted logouts from chat or messenger sessions, software such as Internet Explorer crashing or execution of external code.
The bug affects versions of YVerInfo.dll prior to the current version, 2007.8.27.1. The ClassID of the ActiveX control is {64AA7031-C150-4118-8D31-FD273A2BB22C}. Users can either set the kill bit for this control so that Internet Explorer will no longer load it or deactivate ActiveX for the internet zone completely in IE. Alternatively, the updated version of Yahoo Messenger, which is now available, also fixes the vulnerability.
- Yahoo! ActiveX Control Update, security advisory from Yahoo
- Download the updated version of Yahoo Messenger
- Update for Yahoo Messenger, report by heise Security from 24th August 2007
(mba)