Yahoo Patches IM Security Hole

By Matthew Hicks  |  Posted 2003-12-04 Print this article Print

A security update to Yahoo Messenger fixes a vulnerability that could allow a Web site to execute code, though the company says few users are at risk.

Yahoo Inc. this week issued a security update for Yahoo Messenger after the report earlier this week of a buffer overflow vulnerability in the instant messaging client. Yahoo said it learned of the security issue late Tuesday and issued the patch by Wednesday afternoon. Security researcher Tri Huynh discovered a vulnerability that, if exploited, could allow a malicious Web site to run code on a users computer, according to an advisory issued Wednesday by Danish security company Secunia. The vulnerability stems from an error in the "yauto.dll" file, an ActiveX component of Messenger. The security hole affects Yahoo Messenger versions and earlier, the advisory said.
Secunia rated the vulnerability as "highly critical," but Yahoo said it knows of no actual exploits of the vulnerability. The company also said that only a small percentage of users would be affected because the exploit is linked to a wider vulnerability in Internet Explorer.
Only users that have chosen to change IEs security settings to the "low" level, rather than the default "medium" setting, or that are not running the most recent IE patches would be vulnerable, Yahoo said. An attacker then would need to direct a vulnerable user to view malicious HTML code in order exploit the hole. Even after downloading the Yahoo Messenger fix, users who dont also change their security settings or run recent IE versions could be susceptible to other security vulnerabilities not related to Yahoo Messenger, . "[Yahoo] encourages users to change their IE security setting back to the default level of medium and to upgrade to the most recent version of IE," spokeswoman Mary Osako said. Yahoo isnt alone in having security vulnerabilities reported in its IM software. All the major IM networks have had periodic security holes—especially buffer overflows—exposed, said Dmitry Shapiro, CTO and founder of Akonix Systems Inc., an enterprise IM gateway vendor. IM security issues are gaining more attention as employees access the top IM networks at work, posing a threat for companies that dont manage the updating of those IM clients or block malicious activity such as the sending Web links known to be virus-laden, he said. "Even though networks do a great job of releasing the patches, the users do a terrible job of applying patches," Shapiro said. "Instant messaging is a ripe target for hackers."
Matthew Hicks As an online reporter for, Matt Hicks covers the fast-changing developments in Internet technologies. His coverage includes the growing field of Web conferencing software and services. With eight years as a business and technology journalist, Matt has gained insight into the market strategies of IT vendors as well as the needs of enterprise IT managers. He joined Ziff Davis in 1999 as a staff writer for the former Strategies section of eWEEK, where he wrote in-depth features about corporate strategies for e-business and enterprise software. In 2002, he moved to the News department at the magazine as a senior writer specializing in coverage of database software and enterprise networking. Later that year Matt started a yearlong fellowship in Washington, DC, after being awarded an American Political Science Association Congressional Fellowship for Journalist. As a fellow, he spent nine months working on policy issues, including technology policy, in for a Member of the U.S. House of Representatives. He rejoined Ziff Davis in August 2003 as a reporter dedicated to online coverage for Along with Web conferencing, he follows search engines, Web browsers, speech technology and the Internet domain-naming system.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel