Yahoo plugs IM security hole

By Matt Hines
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: AOL fights spyware in coming software upgrade
December 2, 2003; Macromedia developers get a shot at AIM
November 19, 2003; IM software makers talk compliance
November 11, 2003; AOL tests streaming-video IM service
November 6, 2003; Trillian connects with Yahoo yet again
October 9, 2003

Yahoo issued an update to its instant-messaging software, in order to address a security flaw found in the application earlier this week.

The company said the security issue was related to a buffer overflow, a common security vulnerability in computer programs written in C and C++ that allows more information to be added to a chunk of memory than it was designed to hold.

Typical problems involved in an instant-messaging-related buffer overflow might include an involuntarily log-out of an IM session, a crash of browsing software applications, and a possible introduction of executable code. The last of the potential problems would likely cause the most damage, as the code might allow a malicious programmer to take control of a user's machine, delete files and otherwise wreak havoc with a victim's computer system.

According to Yahoo, only a small percentage of the company's IM software users might be vulnerable as a result of the flaw. Yahoo said customers who changed their Explorer security settings from "medium" to "low" could be affected. The company said that



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

even in that case, an attacker would have to lure a user of Yahoo IM to view malicious HTML (Hypertext Markup Language) code. Most often this would entail clicking a link sent through IM that leads back to a Web page hosting the code. Before changing an IE security setting to low, individuals are warned by the browser that the setting is considered "highly unsafe." Yahoo said it has not yet heard of any successful attacks based on the buffer flaw.

Yahoo, which issued the new IM software Thursday, reported that it first learned of the vulnerability via a warning posted to a security message board Tuesday night. The company said it immediately began working to validate the flaw and address the issue. Yahoo recommends updating its IM software on a regular basis to ensure customers are protected against similar flaws.

A nearly identical flaw was addressed in an earlier security patch distributed by Yahoo earlier this year.

See more CNET content tagged:
IM, Yahoo! Inc., buffer-overflow, flaw, security

Latest tech news headlines

Opera 9.6 focuses on neglected features
Posted in The Download Blog by Seth Rosenblatt

October 8, 2008 12:01 AM PDT
Government use of biometrics still raises privacy concerns
Posted in News - Politics and Law by Stephanie Condon

October 8, 2008 12:00 AM PDT
Verizon officially debuts RIM BlackBerry Storm
Posted in Crave by Bonnie Cha

October 7, 2008 9:01 PM PDT
See all headlines

Resource center from News.com sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Unisys hopes ex-Gateway chief can turn it around
Struggling IT services company has chosen Edward Coleman, a man it says has a long history of transforming troubled tech companies, to take over as CEO.
Gallery
Photos: Messenger returns to Mercury
Crave
Verizon officially debuts RIM BlackBerry Storm
Research In Motion and Verizon Wireless officially announce the first touch-screen BlackBerry, and CNET gets a hands-on look.
Outside the Lines
No escape from the perfect financial storm
After this perfect storm, brewed out of years of habit and taken down by mortgages for the masses, consumers and businesses will be far more conservative in their spending habits.
Video
Mercury exposed
News - Digital Media
Click-to-buy links for songs, games added to YouTube
YouTube is adding links to Amazon.com and the iTunes Store from the pages of thousands of its videos, making it easier for people to buy an MP3 they hear or a video game that looks good.
Video
DIY political ads proliferate
News - Politics and Law
Government use of biometrics still raises privacy concerns
Government and information technology industry representatives on Tuesday discussed how to make the public comfortable with the increasingly sophisticated ways the government collects identifiable information.
News - Cutting Edge
Astronaut training awaits Esther Dyson
The tech pundit and investor is girding for six months of training at Russia's Star City, as an understudy to International Space Station-bound Charles Simonyi.
Gallery
Photos: Top 10 reviews of the week
Crossfade
The Cute Lepers, 'Terminal Boredom': Free MP3 of the Day
Download a free MP3 of "Terminal Boredom" courtesy of CNET Download Music.
Green Tech
Army plans 500-megawatt solar thermal farm
A new Army energy strategy includes plans for what could become the world's largest solar thermal farm, as well as geothermal and biomass-to-fuel projects.