Security Updates - Yahoo Messenger

Messenger Ymsgr Control

December 3, 2003

Do I need to update Yahoo! Messenger to the new version?

Yes, if you are using a version of Yahoo! Messenger obtained before 2007 on a Windows PC.

How do I get the Security Update?

You can download the latest version of Yahoo! Messenger from http://messenger.yahoo.com/download/. Select the typical install option during the install process.

What is the security issue?

There is a security issue, commonly referred to as a buffer overflow, in Yahoo! Messenger.

How did Yahoo! learn of this?

Yahoo! has relationships with third-party security organizations and researchers. We first learned of this issue when it was posted to a security board late last night. Upon learning of the issue, we immediately began working through our verification process. We encourage members of the security community to contact us directly to report vulnerabilities at .

What is the potential impact?

Some common impacts of a buffer overflow include being involuntarily logged-out of a messenger session, the crashing of applications such as Internet Explorer, and in some instances, may allow the introduction of executable code.

Who is affected?

Based on our internal analysis to date, we believe that this issue could only affect the very small percentage of Yahoo! Messenger users who have proactively changed their Internet Explorer security setting from the default level of "medium" to the highly unsafe "low" level. From that small base of users, the attacker would then have to successfully prompt that user to view malicious html code, generally by leading them to a separate Web page. To change the IE security setting to "low", a user must go through several safeguards and prompts since it is a highly unsafe setting. We are not aware of any active exploits.

Why do I have to install the update?

Installing the update helps protect against exploits of this issue that may be developed.

How long will it take?

The update should take no more than a few minutes, although the exact time depends on the speed of your Internet connection.

What if I don't install the update?

Each time you sign in to Yahoo! Messenger, you will be prompted to update. If you choose not to update and you have not updated via this page, the vulnerability will still exist.