December 5, 2003 11:59 AM PST

Yahoo plugs IM security hole

By Matt Hines
Staff Writer, CNET News

Related Stories

AOL fights spyware in coming software upgrade

 December 2, 2003

Macromedia developers get a shot at AIM

 November 19, 2003

IM software makers talk compliance

 November 11, 2003

AOL tests streaming-video IM service

 November 6, 2003

Trillian connects with Yahoo yet again

 October 9, 2003
Yahoo issued an update to its instant-messaging software, in order to address a security flaw found in the application earlier this week.

The company said the security issue was related to a buffer overflow, a common security vulnerability in computer programs written in C and C++ that allows more information to be added to a chunk of memory than it was designed to hold.

Typical problems involved in an instant-messaging-related buffer overflow might include an involuntarily log-out of an IM session, a crash of browsing software applications, and a possible introduction of executable code. The last of the potential problems would likely cause the most damage, as the code might allow a malicious programmer to take control of a user's machine, delete files and otherwise wreak havoc with a victim's computer system.

According to Yahoo, only a small percentage of the company's IM software users might be vulnerable as a result of the flaw. Yahoo said customers who changed their Explorer security settings from "medium" to "low" could be affected. The company said that


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.
even in that case, an attacker would have to lure a user of Yahoo IM to view malicious HTML (Hypertext Markup Language) code. Most often this would entail clicking a link sent through IM that leads back to a Web page hosting the code. Before changing an IE security setting to low, individuals are warned by the browser that the setting is considered "highly unsafe." Yahoo said it has not yet heard of any successful attacks based on the buffer flaw.

Yahoo, which issued the new IM software Thursday, reported that it first learned of the vulnerability via a warning posted to a security message board Tuesday night. The company said it immediately began working to validate the flaw and address the issue. Yahoo recommends updating its IM software on a regular basis to ensure customers are protected against similar flaws.

A nearly identical flaw was addressed in an earlier security patch distributed by Yahoo earlier this year.

See more CNET content tagged:
IM, Yahoo! Inc., buffer-overflow, flaw, security

Powered by Jive Software
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right

  • Nanotech: The Circuits Blog

    Intel ships low-power chips for servers

    New server chips from processor giant draw as little as 12.5 watts per core.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Coop's Corner

    Chris Shipley 1, Internet lynch mob 0

    Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • Webware

    Google upgrades Gmail for IE 6 users

    The online e-mail application is faster for those using the 7-year-old browser and gets features already available to more modern browsers, Google said.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Crossfade

    Kaskade, 'Beautiful Thing': Free MP3 of the Day

    Since Mark Farina's glory days in the late '90s there has been no house music success story like Kaskade's. Download a free MP3 of "Beautiful Thing" courtesy of CNET Download Music.

  • Green Tech

    TI does energy efficiency on a chip

    Its line of Piccolo microcontrollers can reduce power consumption significantly of home appliances, hybrid cars, LED lighting, and even solar panels.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET