Yahoo! Messenger! in! security! flap!

Its buffer floweth over

channel

Yahoo! Messenger users have been warned to update their IM software following the discovery of a serious security bug.

The vulnerability - which involves an unspecified buffer overflow bug in the IM client's YMailAttach ActiveX control - creates a potential means for hackers to take control of Windows (and only Windows) PCs.

Users running Yahoo! Messenger clients released before 2 November are advised to update to the latest version of the software via the Yahoo! download site here. Unless they apply the update, users of Yahoo! Messenger 5,6,7 and are all at risk from attack in cases where they are tricked into visiting maliciously constructed websites that take advantage of the vulnerability.

Both Yahoo! (here) and US CERT (here) have published advisories explaining the problem in greater depth. US CERT lists a number of workarounds, such as disabling the affected ActiveX control in IE, designed to guard against attack for those not yet ready to upgrade. ®

Sponsored: Network DDoS protection