Security company eEye Digital Security, which found the bugs, gave them its highest security threat rating because they enable remote code execut1on.


Yahoo is working on a patch for critical Yahoo Messenger vulnerabilities that could enable a remote hacker to take control of a user's system. Researchers at eEye Digital Security found the bugs within the last few weeks and reported them to Yahoo on Wednesday, according to Marc Maiffret, co-founder and CTO of the security company. eEye's researchers say there actually are multiple flaws in version 8 of Yahoo's instant messenger client software.
The company gave the bugs its highest security threat rating. "If you're running this, your system could be compromised," said Maiffret. "It allows for remote [code] execut1on."
"We recently learned of a buffer overflow security issue in an ActiveX control," a Yahoo spokeswoman said in an e-mail to InformationWeek. "This control is part of the code for Web cam image upload and viewing. Upon learning of this issue, we began working towards a resolution and expect to have a fix shortly."
Maiffret was careful not to give out too much information about the flaw until Yahoo can issue a patch for it. However, he would say that for the vulnerability to cause a problem, the user would have take some kind of action.
"This type of flaw is not going to be prevented by antivirus," he added. "There's no real protection for this type of flaw."


http://www.informationweek.com/story...Sfeed_IWK_News