Security Updates - Yahoo Messenger

Webcam ActiveX Controls

June 7, 2007

Do I need to update Yahoo! Messenger to the new version?

Yes, if you are using a version of Yahoo! Messenger obtained before June 8, 2007 on a Windows PC.

How do I get the Security Update?

You can download the latest version of Yahoo! Messenger from http://messenger.yahoo.com/download/. Select the typical install option during the install process.

What is the security issue?

Yahoo! recently learned of a security issue, commonly referred to as a buffer overflow, in an ActiveX control. This control is part of the software package downloaded with Yahoo! Messenger.

How did Yahoo! learn of this?

Yahoo! has relationships with third-party security organizations and researchers. eEye Digital Security informed Yahoo! of this particular security issue.

What is the potential impact?

Some impacts of a buffer overflow might include the introduction of executable code, being involuntarily logged out of a Chat and/or Instant Messaging session, and the crash of an application such as Internet Explorer. For this specific security issue, these impacts could only be possible if an attacker is successful in prompting someone to view malicious HTML code, most likely executed by getting a person to visit their web page.

Who is affected?

Yahoo! Messenger users who inadvertently view malicious HTML code on an attacker's website. If your computer has installed Yahoo! Messenger before June 8, 2007, you should install the update.

Why do I have to install the update?

Installing the update helps protect against exploits of this issue that may be developed.

How long will it take?

The update should take no more than a few minutes, although the exact time depends on the speed of your Internet connection.

What if I don't install the update?

Each time you sign in to Yahoo! Messenger, you will be prompted to update. If you choose not to update and you have not updated via this page, the vulnerability will still exist.

I'm a technical user. What is the CLSID and exact version of the control that contains the fix?

There are two CLSID being affected. The first CLSID is DCE2F8B1-A520-11D4-8FD0-00D0B7730277 and the version is 2.0.1.4. The second CLSID is 9D39223E-AE8E-11D4-8FD3-00D0B7730277 and the version is 2.0.1.4.