When users of the software log on to the IM network or enter a chat room, Yahoo is prompting them to install the patches. In addition, the company posted the patches on its Web site.
A buffer overflow is a common security vulnerability in computer programs written in C and C++ that allows more information to be added to a chunk of memory than it was designed to hold.
Buffer overflow attacks in Yahoo IM and Yahoo Chat could lead to a number of problems, according to a Yahoo representative. For example, people could be involuntarily logged out of an application. More seriously, it could allow the introduction of executable code, allowing a malicious programmer to take control of a user's machine, delete files and otherwise wreak havoc with a victim's computer system.
Such an attack could only happen if a victim were persuaded to view malicious HTML code, for example, by clicking on a link sent through IM that leads back to a Web page hosting the code. Yahoo said it was not aware of any IM or chat users compromised in this way.
A company representative said Yahoo was informed of the vulnerability by a member of the security community. Yahoo on Friday forwarded details of the vulnerabilities and their fixes to the Bugtraq security mailing list and Carnegie Mellon's CERT (Computer Emergency Response Team) security coordination center.
