ActiveX controls - so often the source of Internet Explorer flaws - are the font of two newly discovered flaws in Yahoo! Messenger.

Buffer overflow-related security bugs in the Yahoo! Webcam Upload (ywcupl.dll) ActiveX control and Webcam Viewer (ywcvwr.dll) ActiveX control allow hackers to inject malware onto Windows PCs running the popular instant messenging software.

The vulnerabilities have been confirmed in version 8.1.0.249 of Yahoo! Messenger. Other versions might also be affected, but this remains unconfirmed.

Users are advised to disable the affected ActiveX controls as a workaround, pending a security patch from Yahoo!

The flaws were detailed by white-hat hacker Danny in postings (here and here) to a full-disclosure security list on Wednesday. On Tuesday, security tools firm eEye said it had reported flaws in Yahoo! Messenger 8.

Beyond describing the bugs as high risk, eEye omitted details on the multiple flaws it reported to Yahoo!

Although we can't be sure, it's highly likely the flaws identified by Danny and eEye are one and the same. ®

Related stories

• Yahoo! Messenger! users! face! attack! by! video! (16 August 2007)
• 10 reasons why the Black Hats have us outgunned (13 June 2007)
• Yahoo! patch squashes messenger bug (8 June 2007)
• Analysis Google security vulnerabilties stack up (3 June 2007)
• Insecure plug-ins pose danger to Firefox users (1 June 2007)
• Wife of Chinese cyber-dissident sues Yahoo! (9 March 2007)
• Yahoo! false! alert! drama! (1 March 2007)
• Yahoo! Messenger! in! security! flap! (18 December 2006)
• JavaScript worm targets Yahoo! (12 June 2006)
• IM worm installs rogue browser (22 May 2006)