Update Plugs Security Hole in Yahoo Widgets

 
 
By Brian Prince  |  Posted 2007-07-31 Email Print this article Print
 
 
 
 
 
 
 

An ActiveX Control error in earlier versions of Yahoo Widgets can lead to remote code execution.

Yahoo is urging users of Yahoo Widgets to upgrade to address a vulnerability hackers can exploit remotely to take control of a compromised system. According to researchers at the French Security Incident Response Team, the issue is caused by a buffer overflow error in the "YDPCTL.YDPControl.1" (YDPCTL.dll) ActiveX control when processing malformed arguments passed to the "GetComponentVersion()" method. The flaw can be exploited by tricking a user into visiting a specially crafted Web page and could result in a denial-of-service attack or the takeover of an affected system.
Yahoo Widgets versions prior to 4.0.5 are affected by the flaw. The vulnerability was initially reported by the security firm Secunia, in Copenhagen, which rated it highly critical.
"If your computer has installed Yahoo Widgets before June 20, 2007, you should install the update," according to a posting by Yahoo, in Sunnyvale, Calif. "Installing the update helps protect against exploits of this issue that may be developed." Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel