Exploit code is out for critical Yahoo Messenger flaws found by eEye Digital Security earlier this week. Both of the flaws, which allow for system hijacking, are boundary errors in two ActiveX controls in Yahoo Messenger"s Webcam Upload and Webcam Viewer.
Security researchers say that they expect attacks using the flaws to arrive soon. That makes prompt patching critical. Yahoo has an update available, Version 126.96.36.1991, to fix the vulnerability, posted at messenger.yahoo.com. The company provided this statement on the issue:
"The Yahoo Messenger team recently learned of a buffer overflow security issue in an ActiveX control. Upon learning of this issue, we began working towards a resolution and implemented a fix to Yahoo Messenger"s software download. We are encouraging all Yahoo Messenger users to download the latest version (188.8.131.521) available at messenger.yahoo.com."