Yahoo Fixes Critical Defect in Messenger and Issues Update

The detection of a critical defect in its widely used Messenger Internet chat software has led Yahoo Inc. to send out a very crucial update to the program. The flaw could have led a malicious agent to take over a computer executing the program. The problem is due to a defective Yahoo Messenger ActiveX control that could be exploited by someone to crash a chat session, render the Internet Explorer browser useless, or execute harmful code on a targeted PC.

A vigilance notice issued on December 15, 2006 by Danish Security Company Secunia warned that the bug was present in all versions of the Messenger software for Windows PCs that were installed in computers before Nov. 2, 2006. Secunia has termed the bug "highly critical." Yahoo Inc. has repaired this critical failing in its Windows instant messaging program and has asked users to download and install an improved version.

The shortcoming could have resulted in a buffer overflow within the ActiveX control. This happens when a computer attempts to place too much information in a provisional storage area, leading to a system crash or granting backdoor access to an attacker.

Yahoo minimized the threat and said that harm could have resulted only if an invader had been able to persuade someone to visit a Web page and see malicious HTML software. The company said that it have, so far, not come across any instance of successful code exploits relating to the bug. The portal and search company asked all users who downloaded Yahoo Messenger before November 2 to install the v. 8.1 update. A prompt will be issued for this purpose when such users next access Messenger.

Yahoo Messenger users have often been the object of phishing attacks. Attackers would message an IM user in the name of a friend and tempt the user to visit a fake Yahoo site. The site would then ask the visitor to enter his Yahoo ID and password.

Related article: Yahoo Gets “Yam”med by a Worm

» SPAMfighter News - 12/21/2006