Shifter

December 5, 2003


Yahoo this week released a security fix for Yahoo Messenger in response to a report that attacks might take advantage of a buffer overflow vulnerability in the popular instant messaging client.



Earlier this week, Danish security firm Secunia issued an advisory noting the vulnerability, which in a worst-case scenario could be used by hackers enticing surfers to a malicious Web site to run code on a compromised machine.



The vulnerability is due to a flaw in the ActiveX component yauto.dll used by Yahoo Messenger. The problem, said Secunia’s alert, affects versions 5.6.0.1347 and earlier.



According to Yahoo, the vulnerability could affect only those users who have changed the security settings of Internet Explorer from the default ’medium’ to the ’low’ option. Yahoo recommended that users install the most recent version of Internet Explorer and if they’ve changed security settings for the browser, return them to the default setting.



Yahoo said it wasn’t aware of any active exploits of the bug, but nonetheless posted a patch for Yahoo Messenger. The fix is available for downloading from the company’s Web site.



Links: