Security analysts are warning that Yahoo! Messenger is vulnerable to ActiveX attacks similar to those recently reported in the image uploading tools for Facebook and MySpace.
Elazar Broad discovered a Boundary Condition vulnerability within
mediagrid.dll, version 2.2.2.56, and Krystian Kloskowski and Broad have discovered a second Boundary Condition vulnerability within
datagrid.dll, version 2.2.2.56c. On top of that, Kloskowski has disclosed a buffer overflow within
datagrid.dll 2.2.2.56.
These three vulnerabilities are found in Yahoo Instant Messenger 3.5 and Yahoo Messenger 4.0, 5.0 and 5.5, and could allow an attacker to compromise affected systems.
The simple solution is to use a web-based messenger or upgrade to the current version of
Yahoo! Messenger. If you're determined to stick with an old, buggy version, there is a workaround. You can enable the ActiveX controls for the dlls in question (
details from Microsoft here).
02-04-2008, 11:25 PM
Similar Topics
