Yahoo Messenger releases security update

Yahoo has issued what one security company labels a "highly critical" update for the popular instant messaging feature.

The update is designed to combat software flaws that could allow an attacker to take over a person's computer.

The flaws affect versions of Yahoo Messenger 5.0 through 8.0, according to a security advisory released Friday by Secunia. Windows users who are running versions of Yahoo Messenger released before November 2 are advised to update to Yahoo Messenger 8.1.

Video: Checklist for Yahoo Messenger update install
CNET's Elsa Wenzel takes a look at how to update the feature while avoiding unwanted changes to your Internet browser.

A security flaw was found in the ActiveX control component of Yahoo's services suite that typically downloads with the Yahoo Messenger installer. The vulnerability could allow a buffer overflow to occur in the ActiveX control. A buffer overflow occurs when a computer tries to store too much data in a temporary storage area, resulting in a system crash or in giving an attacker "back door" access to the system.

As a result of the ActiveX vulnerability, people could involuntarily be logged out of a Messenger session, have an application such as Internet Explorer crash, or have malicious code launched on their PC if they're lured to a malicious Web site, according to a security advisory released by Yahoo.

In the past, Yahoo Messenger users have been the target of phishing attacks. Attackers would send a message to someone that appeared to come a person on their friends list, and then attempt to lure the IM user to a bogus Yahoo site. The site would then prompt the person to enter their Yahoo ID and password.