Yahoo issues security patch for IM

Yahoo issued a security patch to fix a potential vulnerability in its latest instant messaging software, the company said Friday.

The patch, first posted to the Web late Thursday, repairs a security hole stemming from Yahoo Messenger's use of the portable network graphics--or PNG--format, an open-source code the program uses to display certain images, such as buddy list avatars.

The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute malicious programs when a vulnerable application loads an image.

Yahoo posted a security update on its Yahoo Messenger site.

"This affects users on the all new Yahoo Messenger," said Yahoo spokeswoman Terrell Karlsten. She added that the patch will not change any functionality on the service.

The site pointed specifically to a warning issued last week by the United States Computer Emergency Readiness Team's Web site about the PNG vulnerability.

The security problems are in a library that lets applications such as browsers and instant messaging software handle PNG. The library is widely used by programs such as the Mozilla and Opera browsers and various e-mail clients, but has also found its way into Microsoft's Internet Explorer, Apple's Mail software for the Mac OS X and Yahoo Messenger for Windows. Most of these applications have been patched.