Messaging & Collaboration - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Messaging & Collaboration


Yahoo Patches IM Security Hole



 By: Matthew Hicks
2003-12-04
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Messaging & Collaboration story.


Rate This Article:
Poor Best
A security update to Yahoo Messenger fixes a vulnerability that could allow a Web site to execute code, though the company says few users are at risk.

Yahoo Inc. this week issued a security update for Yahoo Messenger after the report earlier this week of a buffer overflow vulnerability in the instant messaging client.

Yahoo said it learned of the security issue late Tuesday and issued the patch by Wednesday afternoon. Security researcher Tri Huynh discovered a vulnerability that, if exploited, could allow a malicious Web site to run code on a users computer, according to an advisory issued Wednesday by Danish security company Secunia.

The vulnerability stems from an error in the "yauto.dll" file, an ActiveX component of Messenger. The security hole affects Yahoo Messenger versions 5.6.0.1347 and earlier, the advisory said.

Resource Library:
Secunia rated the vulnerability as "highly critical," but Yahoo said it knows of no actual exploits of the vulnerability. The company also said that only a small percentage of users would be affected because the exploit is linked to a wider vulnerability in Internet Explorer.

Only users that have chosen to change IEs security settings to the "low" level, rather than the default "medium" setting, or that are not running the most recent IE patches would be vulnerable, Yahoo said. An attacker then would need to direct a vulnerable user to view malicious HTML code in order exploit the hole.

Even after downloading the Yahoo Messenger fix, users who dont also change their security settings or run recent IE versions could be susceptible to other security vulnerabilities not related to Yahoo Messenger, .

"[Yahoo] encourages users to change their IE security setting back to the default level of medium and to upgrade to the most recent version of IE," spokeswoman Mary Osako said.

Yahoo isnt alone in having security vulnerabilities reported in its IM software. All the major IM networks have had periodic security holes—especially buffer overflows—exposed, said Dmitry Shapiro, CTO and founder of Akonix Systems Inc., an enterprise IM gateway vendor.

IM security issues are gaining more attention as employees access the top IM networks at work, posing a threat for companies that dont manage the updating of those IM clients or block malicious activity such as the sending Web links known to be virus-laden, he said.

"Even though networks do a great job of releasing the patches, the users do a terrible job of applying patches," Shapiro said. "Instant messaging is a ripe target for hackers."



  Reader Comments: Yahoo Patches IM Security Hole
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Messaging & Collaboration Articles          >>> More By Matthew Hicks
 


x}ks8q8c޲#d[c[^K7SJK1ErIʶf7n|AI~d2ĩ6ЍFh|GgoD.01tE1>=zoHRsoL#4r%GgPSrD廚fw2v#S;^ > \?g#Q;Y|P:x =3~bA2xFaIH'l6XBX_yyN .tvl(r~ƷPƞ3C27 pXHv T'>6O( |@ɠi!ZdQ#}9e f42MY j\/X-UJ~d<<<Lp|˴g&Neם;ѾޅRQ E_:9~`hiv$V(0n{'WO틋wy@.{A~$Vj}&DeR)I&0h'6tt<_B^,9DFI?j|%R/ՋpT(*.#=-bv=ӧ0CF_8RGf9򳹥}o\tzmotg>ߘekfy3jPAf(`W:+㽩S=;}\vo{{CN۟:'gg:Rڟl3H/k*~k!-zb M u4}GuIͽGf{|&޺x|9!9Io'|?%8_^Cf&j ͒UB_;XȏKŗG)H7#ǚ Mmdʩ$|ǺzNSlj^m&T3o`2 4.Fh-Aho*KhLr &@Sk~$M cΚb.L2o<|SPJۤ%/^(Pe!PC!)\Dh+ԌTwYQQ#=^f/\RD1Al8{ØWҽTwsQ [|28?]7Du..*s5-wnxaZRpx=n[7Sһ^>aUb}PhvZM]qsuTSt,T+t o| 5KUG'-dj`qaeJݠ#mfywς@ tiSM#|>96m'!|Аd mxZ.s3IXn`NthoQy4ڭ,%_ >< )FP=H6(Zχ`jc˦M@B9ǻޚB<Qҡ4|aqjQ?]*~h3-w= | wA,ߣ9#z[LKx GN }t (~9-WRC/0y"ڜ"D% T h4AǰEENA7;.V˥\.y"m':.3Pr x&,R,BV-KᗄPf%i2mń(VFNl(0Vf){@L\n|8$/4<3_O#k[} e jJ=SsA|5 i!3L&Ze onMn^ʚtɕU.F*+b*q (> 4zS\O &Δō$)ЊO}?ٲJb-Yֽk%fcP.our@_&&ےx A-ʘŗZZG"JMP>W "Cɣ($me6LInPy{8`O>7l{`(`R rQ )Ka Ja5sV@@@7h TolVCax=Zz' As,\O{D \|m0TNϣ(a!w1 N) 6Aװ Dؙ&0Sӹbp=z˸>q,?XĞ]FCǚO]Sa﬽.JW-!bFd>i 'L[aHz{>8`Tfha82-|?x;HySI_)+EUI?O~1:2.eX k9<}"}INt@F ‘"=yj% m!T0|"j*VD0pl) RUԒtZC ^~vJI:hdzTy>Q7Ϗ9(gd%d)>'HZ+k՘fj*Zjf~~{ ߥ:8pF#}y6w'~~L2/}VzKݠG>sW}G>N&-h'^+0v *u\NR_!<4`TP95fj =yhdEM]CNx.+pD\POM__C+ʅ:LΓuSb)&GJtlʂu!ה2tXݙ `1}j$a!L`f0!+ #mqJk8ԿCuλWԴ)Z+::>j9gkӥ ,ć{n#f鍂>Lk}]PjVTkk9m`7b/Bc$D! #2z p[kh0NT<]w]܁c:P{PDK&nƚ637}&mno^{x˙yrN?dZIp|]avKrekH˷"gfjso鸙 y@<sP('0m3hSYlpg=H]Ӟyu}lO>=Z\co:\$t'\&ȫ"wl>s3ѻMkls Kq3`9S"豥mBt^+'& R VZ;zGd!9ks-!?3/-Vipm6=R d {259p\Semi{}6['*PP;&K_P@ZhO \k898$D2$Me"٭XSV82V6jRaokA~fZʑ3HU |E࣏ C/ PNk䦰ڽv?fIRTS,.m$mXjYIz, :{Z,cEZ`ЯxLl5AKfl!/`.Q(S/zfD}R/)3nQ/ ~egmS?PG te[,"uN8$#?t?^Jև6?eBdA$(Xq4qߵ!s'^y {{:=\}n; EFp0Z <!hq^ 8+%E;"u ߽< rDp'Bj]t>\$'d0 srn݄'6b ` xѤȢ<"F<$]wFDPa Be\7,8;B3ZK fEu8aVxy~¯nU2k~~ I5:=>   c@JA=Vo8/Z#i%LB[( `E/Щ cAHFrI'zRG>egM3_f Rt4zUr:Pעo)MJ!}J_cNfo4~ P=8,rh%縵vi^a~:)}AmN9˙~DҼ"_"TS8LLàv)fTDSeoy0;Fp8쀒N){7lOڡ-F]kցS9Z)N yux2Ƞ#%tBfye5))eH5N# YuIH~(i&'ءXҡ۳]'8 $O krwisq/Psa%yx42k85(~uNHqJiIw3DJԢᬖ^}+ ɏh8=Na.OZϗ{GNz*6GHDi:n{GQ =dFonO8Z𿲜\ta_}`|;sF'5\{6'cv,Q'}9lm DK,Ai8;_=?PFsgOɭ2sXs\uSBptەg_bxYa)~h8Sʹ9풫n.Һ?5L0c,H~ {#|$~>xFM>xuS意G ڽ9k3rĸel(=hKx?Koҽ{g;ᧅ}E4rtRTsd{I6ӱ$BU/tln(rYpJUOVr{ld+N$c,n%P2Y;pOҠc}dOI>]f+wP{_x͞6YiYU/J\ -"Pn'Z^|W%0.5zQc%Fc?^ϗt8a8?6#,Ӝi4BVɇ&L+dXZ_9 V1!ȁK݆50lP0v,<7_ObSjyk|1a=ɜ`.&a'2[Q)֏xP7_ܗf\j_KMgWx =pȹvO7_^Z}KʤoxZB6onU eE"SVMg?KWX4$1qDX_NJl<>zy=d(΀,DSFJX3:Qm'1cF+UfQA7)Ȋw%Sj#Z* Nɒ+voWH\+JCym"5[PC%WpOZs?^$ӚtoaMEάCS9%jg:HJorҀl7s42z|!ń1`e͢^00=3.+%. eѪ }B3^ DyA@vGj1b|(!)^۠6of7jZN%R@R|ϦXf3TTLk.U S!ݱxV59(neZpaĉL*X*zUb*F'` E@ JBxd8N2KKKK{Ɋu{ɢdU">a),$ZPw`ƚ-vaFY`dbJiL`/?'hu C,rK^?_a+_xi>б?Z Y3Y5u`} ]q.pH }}<;-po{^- ñ:-K'ͲpoG3mRoݛ5$~P" _9݄dsC/K,)ͻE,bN"tMX |+ < F1`H a`H9@8FUBHn_)fXѡ$NҩiAڲԲ,Ƶc?D0 FAp/5+k:_?MQ"2XF20D +JF/؁_/ak]py,/9#LY]!U.ʶ=B{[\\ sYv35 uVIDsy{13 e#G٥B+#A.WjWhEwa븠+&.⫽yKh<ŗA9rO|k nfvKǤ\?f]u۠Btϡ6k1Xktym]$5?}{{ŷis`eul:/r:5?Fa3U6ZG nb+n\|5Xm:?R]Ć(TVc#cYx|CYDWi.bBإGe9L1R49ve1h}PR #`=%17{c8vGc8RG5 5~A^ y1c*Y"'"KIE/]^|~8. dP]mͤ<؎7լ%\za8FSYhM!cbiJ]]-OQ/ ]ZX,:~eL<^^AF3 i"r\IoA$TC%rM` bTy Q9VŠ@Jk&pPJ;7^g6]4_q=!o7 Q&xfU'j"jn04n=TPuE8aciAcqsO"| dZƒM)RӰp-|ri?NRUzB9IfȻZZBQ)J Pc0]#R-J*YQ_] 5rS xWץ9;{'}ZpYXuvücno\.J Ys2x kHу%;7"6&Z:<}Q-Dr1&Ӄ݉tg|[2@ eˡWq-ĸm5ܵ4N5FgJн_3B{sl^?Rm{ι\`{1ð`EZ`3+n{l˪ZMȶ8+ilwAQg)q8 @\5m28 Rp߶:*=3 0c[q{Za``WO_ňVR>fD9mFx* L(ڏxX|L!1 \TcЭB)˪M;InP}sY?e=` ' 24/xyBBM{F dM,q|U:i|%w%۶ ~~1}3MM i.oAzoIg4، Pm̼܏HGbSxe㷍Gd.$qUo5`G; roEVIz# ,@Eꊍ\DQ9B p7۷j.~V =3C}m"y;Z4ZEax>S}b}s6$EuE)dw; wKy–s\vf+Uֽ?gC7L>-l  \Zs4e-wz}UO+E cDRw2O0 枩hTTdL4B&(qTi+$<49|zLY}nOKZ&9a k(E$aL n#B s43DtLkn ~Y;m%:="ȧn皉1J \-B@e=DqyyC5?tHxf4N18(aU T, !Lz)%n67p>9o2Y,a48`F"Og8= ܕmxdj,yǥ}-AGG71<` ?'غ9P(E>gٕa)豪/7)4 ;e| =M蕴B^Tȑ;^i`50 }a3brO4n0t{CZ&ǽuӽ"-¶V-J-uwO?t?u7~yfz0calB[d_T ΒQ9j]28SOsm.4 "GdȀW.}QX\mBzJ*Q>2 bA@*:[DŽOO!~r:j:ٙ%/KN#CE@ЦoJc>6rUNMo )n}>U; MjV}QuxQ3Q Q~7OZ.w3ʑO(?Y_~9ˠחwri9(u2UF9{ϽPy}Ȁ]2c|. /e|e}/>/3K D(?A2/2*c|@~2 *cnF _?3޿x&z/??}OP)'ߧ BmV9mBf_ry[rֺƅ)qFy9{'sg+I4^a芪g- /YSʹqմ 6 >? Vt{rUtKn yɻr%>SG0%nsOkr>u"[~|^Y;yx߇ oBgU=j{4qa CO3mJ'܌ӃXt{A5i\.׭mОMEACeGӠS7P3 !GaW@je2 ErG!<螡Z(_ MW+4\xoc Dӌn; 9w6*BVZ{_ M = G1wQ JUN--TzT,.g /(@#غ̷xR#xC3 y=q'a1V1;BDO"׏ ѱCFCWeL ,$ unQKp^Wv,P0~Y$P*`!K֞9^φ$ rb6gLߟQ1Ǥi!#lɒ]k"bؖB[']RƑL3 ,E~f&g- ؠGў#c7ӦB~ SEUSaKMDr&ߢjOGm U*A[`pOEf~ Z<6R*WEɑ""9<'$}'s>tjYFF`BOf}3qLa\Dm8ʺ(p0>&@ZA/`5ݤ1]dk,sff\'2 /§On3A ~2m o=h>I45~ɱd (W kƯnT#by x_waŻA'/OTx#0 Aflk8ӕcXK1wUWw-I'/Հ&ۧ~j:W3!?gITCȘ b0OF>ಓ_`৸/&-3ѭpS&bb P|_|aڳGv\Ֆ&{Bi+sLYZcm\$aBc M=)9s{PN;Y`_CFb+MVk*q.w I7,Nd=:vMh.˄Yx D愽HaC4u;׌eԢaנ~r:פX.-;E C >gv jcT7ue 2cX =`?GcС_ km!tZwkdYəW Bz ,*- ))b:m% 1o%:yhv[~A`'/];Q+π-sD?>7S1U)ւ_/gwd&%}YQ v|.uqNv\r#tfP/K7"i½oPm JO0wGw , CQ6N>Lc? `nwfښ ˎ4) iz S~jO(Coݒ\k<>aiЀΧYp穎m,U|J6A1^<&;z~%>2z l|_Odxƪ~axh=&gsx m(IS`i/@}^nT "+1<&ץEߟ2L\-Ԣ?MSg(\*],1Ał?vLw699j>E Ǣ8"U];x[9ԋO0xeӕhOyq;Z?Y m-p$`:Vڕ+zYL1e~}=3ӲG(q",@zP݌V`y%K@ z 78ǩ VmxjͺXg fkOTgwz*.u6r)* XCڢZ-QaW8~n`PT":xqea #V\r*z;f?PuYsTO34[;<;Oo:{hT*ቋo۝'݋M nN4hI:ݛv]NO;W񞞽P7w rF˳G`bhP7]hJz'14ɋmEg,3lW'uT+nu; o]F'e1TU>\JBS+$X/WfTNN wE&l)vsml-6C-{g睗(