Yahoo has released an updated version of Yahoo Messenger to fix two critical vulnerabilities affecting separate ActiveX controls related to the webcam functionality. Both vulnerabilities are buffer overflows that can be exploited to execute arbitrary code on a victim's computer just by making him/her/it view a malicious web page in Internet Explorer.
Very accurate and script-kiddie-friendly exploits are publicly available for both vulnerablities. It is possible that crimeware distributors will start exploiting this for drive-by downloads. Therefore, please install the latest upgraded version of Yahoo Messenger (ver 126.96.36.1991) as soon as possible. Yahoo will start distributing the new version soon through an automatic update, but until that happens, you will need to install the new version manually by going to the Yahoo Messenger download page.
*Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo! Messenger upon signing into the service. If you choose not to update and you have not updated via this page or at messenger.yahoo.com, the vulnerability will still exist.*
Yahoo has a very good track record of fixing security issues quickly. However, I feel it is not proactive enough in communicating the security advisories to their users. For instance, for the current issues, there is no notice or link on the Yahoo Messenger home page or any other part of the website asking users to install the urgent security upgrade. You won't find the advisory unless you are looking for it.
Edited by jgweed, 10 June 2007 - 08:05 AM.