Yahoo! battered by second ActiveX vulnerability
Upgrade averts code catastrophe
Yahoo! users are urged to upgrade their instant messaging software following the discovery of a brace of security vulnerabilities - the second set of serious security flaws involving Yahoo! Messenger in as many weeks.
The latest security bugs both stem from stack-based buffer overflow flaws in the YVerInfo.dll ActiveX control. Successful exploitation, which is far from straightforward, creates a means for hackers to inject hostile code onto systems running vulnerable versions of Yahoo! Messenger.
In order to exploit the bugs, hackers would need to establish a malicious web page in the yahoo.com domain, which might be done by methods such as a cross-site scripting vulnerability or by manipulating DNS resolution, security notification firm Secunia reports.
The vulnerabilities affect versions of Yahoo! Messenger 8.x prior to version 220.127.116.119, released late last week. Users are urged to upgrade.
Last month security researchers identified an even more serious bug - again involving a dodgy ActiveX control - that meant users were exposed to attack providing they accepted a webcam invite from a hacker. ®