Yahoo Patches Instant Messaging Flaw

Yahoo this week disclosed a security vulnerability in its Messenger software, issuing a patch for those running versions dated before March 13. Yahoo has since released two updates to Messenger, and will begin prompting users to upgrade at sign-in.

The flaw involves Messenger's audio conferencing feature, which makes use of an ActiveX control that contains a buffer overflow. A user must be tricked into viewing malicious HTML, which could come from a Web site or e-mail, Yahoo said. "Some impacts of a buffer overflow might include being involuntarily logged out of a Chat and/or Instant Messaging session, the crash of an application such as Internet Explorer, and in some instances, the introduction of executable code," the company explained.