Security Updates - Yahoo Messenger

ActiveX Control Update

August 29, 2007

Do I need to update Yahoo! Messenger to the new version?

Yes, if you are using a version of Yahoo! Messenger installed before August 29, 2007 on a Windows PC.

How do I get the Security Update?

You can download the latest version of Yahoo! Messenger from http://messenger.yahoo.com/download/. Select the typical install option during the install process.

What is the security issue?

Yahoo! recently identified a security issue, commonly referred to as a buffer overflow in an ActiveX control. This control is part of the Yahoo! services suite typically downloaded with the installer for Yahoo! Messenger.

How did Yahoo! learn of this?

Yahoo! has relationships with third-party security organizations and researchers. iDefense Labs informed Yahoo! of this particular security issue.

What is the potential impact?

Some impacts of a buffer overflow might include involuntary log out of a Yahoo! Chat and/or Yahoo! Messenger session, the crash of an application such as Internet Explorer, and in some instances, the introduction of executable code. In this case, these problems could only happen if an attacker successfully lured the Yahoo! Messenger user to view malicious HTML code, most likely by getting a person to visit the attacker’s web page. To our knowledge, there have been no known malicious executable code exploits related to this issue.

Who is affected?

If your computer has installed Yahoo! Messenger before August 29, 2007, you should install the update.

Why do I have to install the update?

Installing the update helps protect against exploits of this issue that may be developed.

How long will it take?

The update should take no more than a few minutes, although the exact time depends on the speed of your Internet connection.

What if I don't install the update?

Each time you sign in to Yahoo! Messenger, you will be prompted to update. If you choose not to update and you have not updated via this page, the vulnerability will still exist.

I'm a technical user. What is the CLSID and exact version of the control that contains the fix?

The CLSID is 64AA7031-C150-4118-8D31-FD273A2BB22C and the version 2007.8.27.1 or above. MITRE has assigned CVE-2007-4515 to track this issue.