Update Plugs Security Hole in Yahoo Widgets

An ActiveX Control error in earlier versions of Yahoo Widgets can lead to remote code execution.

Yahoo is urging users of Yahoo Widgets to upgrade to address a vulnerability hackers can exploit remotely to take control of a compromised system.

According to researchers at the French Security Incident Response Team, the issue is caused by a buffer overflow error in the "YDPCTL.YDPControl.1" (YDPCTL.dll) ActiveX control when processing malformed arguments passed to the "GetComponentVersion()" method. The flaw can be exploited by tricking a user into visiting a specially crafted Web page and could result in a denial-of-service attack or the takeover of an affected system.

Yahoo Widgets versions prior to 4.0.5 are affected by the flaw. The vulnerability was initially reported by the security firm Secunia, in Copenhagen, which rated it highly critical.

"If your computer has installed Yahoo Widgets before June 20, 2007, you should install the update," according to a posting by Yahoo, in Sunnyvale, Calif. "Installing the update helps protect against exploits of this issue that may be developed."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.