ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Software

Office applications Toolkit

Yahoo answers IM security flaw

Matt Hines CNET News.com

Published: 08 Dec 2003 10:40 GMT

Yahoo has issued an update to its instant-messaging software, in order to address a security flaw found in the application.

The company said the security issue was related to a buffer overflow, which is a common security vulnerability in computer programs written in C and C++ that allows more information to be added to a chunk of memory than it was designed to hold.

Typical problems involved in an instant-messaging-related buffer overflow might include an involuntarily log-out of an IM session, a crash of browsing software applications, and a possible introduction of executable code. The last of the potential problems would likely cause the most damage, as the code might allow a malicious programmer to take control of a user's machine, delete files and otherwise wreak havoc with a victim's computer system.

According to Yahoo, only a small percentage of the company's IM software users might be vulnerable as a result of the flaw. Yahoo said customers who changed their Explorer security settings from "medium" to "low" could be affected. The company said that even in that case, an attacker would have to lure a user of Yahoo IM to view malicious HTML (Hypertext Markup Language) code. Most often this would entail clicking a link sent through IM that leads back to a Web page hosting the code. Before changing an IE security setting to low, individuals are warned by the browser that the setting is considered "highly unsafe." Yahoo said it has not yet heard of any successful attacks based on the buffer flaw.

Yahoo, which issued the new IM software on Thursday, reported that it first learned of the vulnerability via a warning posted to a security message board Tuesday night. The company said it immediately began working to validate the flaw and address the issue. Yahoo recommends updating its IM software on a regular basis to ensure customers are protected against similar flaws.

A nearly identical flaw was addressed in an earlier security patch distributed by Yahoo earlier this year.

Did you find this article useful?
37 out of 68 people found this useful

More In Office applications

Company/Topic Alerts

Create a new alert from the list below:

Related Jobs

Messaging Support Analyst (AD,TREND protection,Exchange) BANKING

PAYMENT CARD SECURITY CONSULTANTS - CISSP PCI DSS - ESSEX - PERMANENT

FORENSICS SECURITY CONSULTANT CISSP QSA

Featured Talkback

Why do so many (virtually all) software packages think that they are so important that they have to be started automatically every time the computer boots? What is the largest number of "speed access", "update check", "camera download" and whatever other background programs you have ever seen running? Of those, how many did you really need?