Posted by Virus Bulletin on Jun 8, 2007
Critical vulnerabilities fully disclosed.
Two security flaws in the popular Yahoo! Messenger communications software have been reported, with full details available online before a fixed version of the product became available.
Initial reports of the flaws, both buffer overflow issues in ActiveX controls used by the software, imply they are simple to exploit, with in-depth descriptions made available via the Full Disclosure system. Although as yet there have been no reports of exploit attempts in the wild, Yahoo! has rushed out a fixed version and is advising all users to upgrade as soon as possible, with automated upgrades due to take place over the next few weeks.
Yahoo!'s details on the flaws, and links to the update, are here. The flaws were reported to Yahoo! by eEye Digital Security, who carry an alert here, while a Secunia summary, rating the issue 'Extremely Critical', the most serious level of alert, is here, and a further warning on the F-Secure blog is here.
Posted on 08 June 2007 by Virus Bulletin