Update Plugs Security Hole in Yahoo Widgets
An ActiveX Control error in earlier versions of Yahoo Widgets can lead to remote code execution.Yahoo is urging users of Yahoo Widgets to upgrade to address a vulnerability hackers can exploit remotely to take control of a compromised system. According to researchers at the French Security Incident Response Team, the issue is caused by a buffer overflow error in the "YDPCTL.YDPControl.1" (YDPCTL.dll) ActiveX control when processing malformed arguments passed to the "GetComponentVersion()" method. The flaw can be exploited by tricking a user into visiting a specially crafted Web page and could result in a denial-of-service attack or the takeover of an affected system.
Yahoo Widgets versions prior to 4.0.5 are affected by the flaw. The vulnerability was initially reported by the security firm Secunia, in Copenhagen, which rated it highly critical.