SAN FRANCISCO – Yahoo has issued a “highly critical” update for its popular instant messenger feature as it tries to combat security flaws that could allow an attacker to take over a user’s system.
The flaws affect versions of Yahoo Messenger 5.0 through 8.0, according to a security advisory released Friday by Secunia and reported by CNET News.Com. Windows users who were running versions of Yahoo Messenger before November 2 are advised to update to Yahoo Messenger 8.1.
A security flaw was found in the ActiveX control component of Yahoo’s services suite that typically downloads with the Yahoo Messenger installer. The vulnerability could allow a buffer overflow to occur in the ActiveX control. A buffer overflow occurs when a computer tries to store too much data in a temporary storage area, resulting in a system crash or in allowing an attacker “back door” access to the system.
As a result of the ActiveX vulnerability, users could involuntarily be logged out of a Messenger session, have an application such as Internet Explorer crash, or have malicious code launch on their PC if they’re lured to a malicious Web site, according to a security advisory released by Yahoo last week.
In the past, users of Yahoo Messenger have been the target of phishing attacks. Attackers would send a message to users that appeared to come from someone on their friends’ list, and attempt to lure them to a bogus Yahoo site. The site would then prompt users to enter their Yahoo ID and password.
