Yahoo patched two vulnerabilities in Messenger's ActiveX control, which were disclosed by a hacker offering proof-of-concept exploit code earlier this week.The web giant encouraged Messenger users to download version 126.96.36.1990 from its website.
"The Yahoo Messenger team recently learned of a buffer overflow security issue in ActiveX control. Upon learning of this issue, we began working toward a resolution and implemented a fix to Yahoo Messenger’s software download," read a statement released today by company spokesman Terrell Karlsten. "We are encouraging all Yahoo Messenger users to download the latest version available at messenger.yahoo.com."
Users will be prompted to download a new version of Messenger in the coming weeks, according to the statement.
According to an advisory released Thursday, Yahoo was made aware of the flaw by eEye Digital Security.
A hacker using the handle "Danny" released two zero-day ActiveX exploits for Yahoo Messenger’s Webcam application on the Full Disclosure mailing list on Thursday.
Secunia ranked the flaws as "highly critical" and FrSIRT assigned them a "high" risk ranking.
One flaw is a boundary error within the Yahoo Webcam Upload ActiveX control, which can be exploited to cause a stack-based buffer overflow, according to a Security advisory updated today.
The other vulnerability exists within the Yahoo Webcam Viewer ActiveX control and can also be exploited for a stack-based buffer overflow attack, according to Secunia.
Don Montgomery, vice president of marketing at Akonix, told SCMagazine.com today that better email security solutions and the convergence of networks are two reasons hackers are turning their attention to IM.
"They are turning to this pathway because it’s still open to them. Obviously, email is still a big spam target, but not as big of a target for viruses," he said.