Yahoo Messenger Security Hole - Get Latest Messenger ASAP

SANS Internet Storm Center (ISC) of Bethesda MD and Secunia - Danish based vulnerability clearinghouse both warned of Yahoo Messenger holes that make them vulerable to attacks. Also adding to the reports last week was eEye Digital Security based in Aliso Viejo CA.

In summary, they report that there are multiple flaws within Yahoo Messenger & that allow remote execution of arbitrary code with very little user interaction. It was also reported that the holes reside around a boundary error within the Yahoo Webcam Upload (ywcupl.dll)ActiveX control.

Here is what Secunia reported - Attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "send()" method; and a boundary error within the Yahoo Webcam Viewer (ywcvwr.dll) ActiveX control attackers could exploit to cause a stack-based buffer overflow by assigning an overly long string to the "server" property and then calling the "receive()" method. The flaws affect version 8.1.0.249.

What to do - Migrate to the latest version of Yahoo Messenger and/or you can set the kill bit for the affected ActiveX controls.  To see detailed findings visit their sites.