December 5, 2003 11:59 AM PST
Yahoo plugs IM security hole
The company said the security issue was related to a buffer overflow, a common security vulnerability in computer programs written in C and C++ that allows more information to be added to a chunk of memory than it was designed to hold.
Typical problems involved in an instant-messaging-related buffer overflow might include an involuntarily log-out of an IM session, a crash of browsing software applications, and a possible introduction of executable code. The last of the potential problems would likely cause the most damage, as the code might allow a malicious programmer to take control of a user's machine, delete files and otherwise wreak havoc with a victim's computer system.
According to Yahoo, only a small percentage of the company's IM software users might be vulnerable as a result of the flaw. Yahoo said customers who changed their Explorer security settings from "medium" to "low" could be affected. The company said that
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Yahoo, which issued the new IM software Thursday, reported that it first learned of the vulnerability via a warning posted to a security message board Tuesday night. The company said it immediately began working to validate the flaw and address the issue. Yahoo recommends updating its IM software on a regular basis to ensure customers are protected against similar flaws.
A nearly identical flaw was addressed in an earlier security patch distributed by Yahoo earlier this year.