Buggy ActiveX controls menace Yahoo! Messenger
Print storyWebcam! library! peril!
Posted in Security, 7th June 2007 10:24 GMT
Free whitepaper – Certify your software integrity with Thawte code signing certificates
ActiveX controls - so often the source of Internet Explorer flaws - are the font of two newly discovered flaws in Yahoo! Messenger.
Buffer overflow-related security bugs in the Yahoo! Webcam Upload (ywcupl.dll) ActiveX control and Webcam Viewer (ywcvwr.dll) ActiveX control allow hackers to inject malware onto Windows PCs running the popular instant messenging software.
The vulnerabilities have been confirmed in version 8.1.0.249 of Yahoo! Messenger. Other versions might also be affected, but this remains unconfirmed.
Users are advised to disable the affected ActiveX controls as a workaround, pending a security patch from Yahoo!
The flaws were detailed by white-hat hacker Danny in postings (here and here) to a full-disclosure security list on Wednesday. On Tuesday, security tools firm eEye said it had reported flaws in Yahoo! Messenger 8.
Beyond describing the bugs as high risk, eEye omitted details on the multiple flaws it reported to Yahoo!
Although we can't be sure, it's highly likely the flaws identified by Danny and eEye are one and the same. ®
Free whitepaper – Securing your Apache web server with a Thawte digital certificate
The best practices guide for application security
Reducing messaging and web security costs with managed services
Avoiding 7 common mistakes of IT security compliance
Certify your software integrity with Thawte code signing certificates
The future of SaaS and IT infrastructure management
Feds: Hospital hacker's 'massive' DDoS averted
Buggy 'smart meters' open door to power-grid botnet
Microsoft knew of nasty IE bug a year before attacks
BlockMaster SafeStick hardware-encrypted USB drive