Flaw in ActiveX Attacked Yahoo Widgets
The security researchers have cautioned about the Yahoo Widgets (a platform, which runs small gadget-like applications based on Web on the desktop of a PC) containing a critical vulnerability that can be used by hackers to hijack the Windows PC.
Hacker can use a worm in an ActiveX control, which merged with Yahoo Widgets, to create buffer overrun by passing a very long string (more than 512 bytes). After that, it brings on malicious code in the affected computer.
Remote user is also able to create HTML that, when installed by the target user, will apply the same arbitrary code on the target user's PC. The most common example of this type of attack would find hackers feeding user's links to deadly sites.
In last week of July 2007, Yahoo released a Widget engine's update. However, it was on 30th July 2007 that Secunia, a vulnerability tracker from Denmark, informed Yahoo about the bug and made the flaw public. Secunia called the issue as "extremely critical". It rated the flaw as the second more critical security threat in its scoring system.
This flaw rises because of a boundary error in the YDPCTL.YDP Control.1 (YDPCTL.dll) ActiveX control while managing the "GetComponentVersion()" method. The flaw is found in YDPCTIL.dll version 2007.4.13.1, which is also included in Yahoo Widgets version 4.0.3 (build 178). Moreover, other versions can also be affected.
Vice President of marketing at Akonix, Don Montgomery, said that many desktops are prone to risk due to the prevalence and ubiquity of Widgets. He added that virus couldn't be downloaded only through an email but even through small footprint code like Widgets, as per the reports of SCMagazine on 30th July 2007.
However, the users have claimed that they have turned on the Widget's mechanism on; they have still not received the notification of the security patch. Yahoo confirmed it in a security advisory displayed on the Widget's site. The alert said that worldwide users would be lured to update the latest edition of the Yahoo Widgets.
As per the reports by Pcadvisor on July 30th 2007, Yahoo said that only the version of Windows is at risk, Mac OS X version doesn't need updation. He advised the users to update the 4.0.5 version of Yahoo Widgets instead of waiting for the notification of the update.
Related article: Flaw For PayPal Website, Opportunity For Fraudsters
» SPAMfighter News - 08-08-2007