Security researchers are warning of a security hole in Yahoo Inc.'s Messenger that could allow attackers to run their own code on computers using the instant messaging program. The buffer overrun vulnerability was discovered by researcher Tri Huynh in a file named "yauto.dll," which is an ActiveX component of Yahoo! Messenger software versions up to 5.6.0.1347, according to a security alert released Wednesday by Secunia Ltd. of Copenhagen, Denmark. Yahoo did not immediately respond to requests for comment.
The company was notified via e-mail about the hole one month ago, but did not respond, Secunia said. Yahoo! Messenger allows users to instantaneously communicate with each other over the Internet using text messages. It also lets users send files or links to Web pages. Instant messaging applications such as Yahoo! Messenger, Microsoft Corp.'s MSN Messenger and America Online Inc.'s AOL Instant Messenger are increasingly used at companies to let workers communicate with each other over corporate LANs. ActiveX is a Microsoft technology that allows software developers to create small, reusable bits of code, called "controls" that enable programs to share information over computer networks and the Internet.
News source: InfoWorld
1 Comment - Add comment