• On TV.com: TOP 10 Shows CANCELED Too Soon
advertisementGet Smart about Business Spending
February 4, 2008 2:01 PM PST

Yahoo IM affected by ActiveX vulnerabilities

by Robert Vamosi
  • Font size
  • Print
  • 3 comments

On the heels of ActiveX vulnerabilities in the image uploading tools for Facebook and MySpace.com, researchers warned Monday that Yahoo Instant Messenger and Yahoo Messenger are vulnerable to ActiveX-based attacks.

Researcher Elazar Broad has disclosed a Boundary Condition vulnerability within mediagrid.dll, version 2.2.2 56. Researchers Krystian Kloskowski and Broad have disclosed a second Boundary Condition vulnerability within datagrid.dll, version 2.2.2 56c. And Kloskowski alone has disclosed a buffer overflow within datagrid.dll 2.2.2 56, which affects the AddImage function.

The three vulnerabilities are present within Yahoo Instant Messenger version 3.5 and Yahoo Messenger versions 4.0, 5.0, and 5.5, and could allow an attacker to compromise affected systems.

There are no known public exploits for these at this time. There is no patch available.

The existing workaround includes enabling the ActiveX control for each. Microsoft provides more details here . The specific CLSIDs for the ActiveX controls involved are:

Yahoo! MediaGrid: CLSID 22FD7C0A-850C-4A53-9821-0B0915C96139
Yahoo! DataGrid: CLSID 5F810AFC-BB5F-4416-BE63-E01DD117BD6C2

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Browsers and extensions,

Chat and e-mail,

Security

Tags:

security,

vulnerablity,

Yahoo Instant Messenger,

Yahoo Messenger,

Krystian Kloskowski,

Elazar Broad

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Critical Windows 7 holes fixed in record Patch Tuesday
Now playing: FoxyTunes on Yahoo Messenger
Yahoo Mail outages plague some users
Trillian IM: Apple's sitting on our iPhone app
Yahoo betting on content biz revival
Microsoft to fix holes in Windows, Office
Trillian 4.1 beta for Windows opens up
Jailbroken iPhone? SSH installed? Beware of worms!
Add a Comment (Log in or register) (3 Comments)
  • prev
  • 1
  • next
Conspiracy theory...
by jeromatron February 4, 2008 3:24 PM PST
So this is total conspiracy theory but here goes...

So since Yahoo! isn't thus far acquiescing to the buyout, Microsoft will go ahead and let slip different vulnerabilities in their software...?
Reply to this comment
the problem being
by catch23 February 4, 2008 4:39 PM PST
that ActiveX is a specification, and the vulnerable control was written 100% by Yahoo.
As is the case with most ActiveX vulnerabilities. MS has nothing to do with writing the crappy code.

in South Korean, lots and lots of banks use ActiveX controls for data transfer. They write them correctly, and therefore don't have vulnerabilities.
Over here, people just blame MS....
Certainly a conspiracy theory
by hlywd217 February 4, 2008 5:28 PM PST
haha nice
Reply to this comment
(3 Comments)
  • prev
  • 1
  • next
advertisement

Graphics showdown: 13 games for newer iPhones

So you've got an old iPhone or iPod and want to see what some of the latest games are doing with the newer hardware? We've checked out 11 titles to show you the differences.
• Images: Old vs. new

Intel to pay AMD $1.25B in settlement

Antitrust and intellectual property fights come to an end for now. AMD will drop all pending litigation, and Intel will "abide by" a long list of prohibitions.
• AMD: Our claims are 'ratified'

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET