NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0220 Yahoo Messenger Flaw:

Security firm Symantec is warning users that a high-risk vulnerability in the Yahoo Messenger application, for which Yahoo recently offered a fix, is currently being exploited by at least one web site. The vulnerability is a buffer-overflow in Yahoo Messenger's webcam ActiveX control that can be exploited to execute arbitrary code within the context of the application that is using the control. The exploit observed by Symantec works through a specially crafted malicious web site that is designed to exploit the vulnerability to run arbitrary code within the context of the victim's browser to gain control of the victim's system. Proof-of-concept code was originally discovered by eEye Digital Security during the previous week and Yahoo released an updated version of Yahoo Messenger to fix the flaw. Yahoo Messenger versions 5.5.0 through 8.0.0 are affected by the flaw. Symantec urged users to upgrade to the latest software, and also recommended that users always run non-administrative software as an unprivileged user with minimal access rights in order to limit the effectiveness of exploits.

(eWeek.com 13JUN07)

Last Modified: Saturday, 21-Jul-2007 10:22:06 EDT